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Preface 


This user guide is intended for application developers who will use the Qualys FIM API. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com. 


Contact Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access support information at www.qualys.com/support/. 
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Chapter 1 - Welcome 


Welcome to File Integrity Monitoring API. 


Get Started 


Qualys API Framework - Learn the basics about making API requests. The base URL 
depends on the platform where your Qualys account is located. 


Introduction to FIM API Paradigm - Get tips on using the Curl command-line tool to make 
API requests. Every API request must authenticate using a JSON Web Token (JVVT) 
obtained from the Qualys Authentication API. 


Get API Notifications 


Subscribe to our API Notifications RSS Feeds for announcements and latest news. 


From our Community 
Join our Community 


API Notifications RSS Feeds 


Qualys API Framework 


The Qualys File Integrity Monitoring API uses the following framework. 


Request URL 
The URL for making API requests respects the following structure: 
https://<baseurl>/<module>/<object>/<object_id>/<operation> 


where the components are described below. 


<baseurl> The Qualys API server URL that you should use for API 
requests depends on the platform where your account 
is located. The base URL for Qualys US Platform 1 is: 
https://gatevvay.qg1.apps.qualys.com 


«module» The API module. For the FIM API, the module is: "fim". 
«object» The module specific object. 

«object id» (Optional) The module specific object ID, if appropriate. 
«operation» The request operation, such as count. 


Qualys API URL 


The Qualys API URL you should use for API requests depends on the Qualys platform 
where your account is located. 
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Click here to identify your Qualys platform and get the API URL 


This documentation uses the API gateway URL for Qualys US Platform 1 
(https://gateway.qg1.apps.qualys.com) in sample API requests. If you're on another 
platform, please replace this URL with the appropriate gateway URL for your account. 


Qualys API Postman Collection 


Interact with Qualys APIs using Postman. Instead of creating calls manually to send over 
the command line, you can use the Qualys Postman Collection to get started with Qualys 
APIs quickly. 


Click here to view the steps involved 
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Introduction to FIM API Paradigm 


Authentication 


You must authenticate to the Qualys Cloud Platform using Qualys account credentials 
(user name and password) and get the JSON Web Token (JWT) before you can start using 
the FIM APIs. Use the Qualys Authentication API to get the JWT. 


For example, 


curl -X POST https://gateway.qgl.apps.qualys.com/auth -d 
"username-valuel&password-passwordValue&token-true" -H "Content- 
Type: application/x-www-form-urlencoded" 


where gatevvay.qg1.apps.qualys.com is the base URL to the Qualys API server where your 
account is located. 


- username and password are the credentials of the user account for which you want to 
fetch FIM data 


- token should be true 
- Content-Type should be "application/x-www-form-urlencoded" 


The Authentication API returns a JSON Web Token (WT) which you can use for 
authentication during FIM API calls. The token expires in 4 hours. You must regenerate the 
token to continue using the FIM API. 


Using Curl 


Curl is a multi-platform command-line tool used to transfer data using multiple 
protocols. This tool is supported on many systems, including Windows, Unix, Linux and 
Mac. In this document Curl is used in the examples to build Qualys API requests using the 
HTTP over SSL (https) protocol, which i s required. 


Want to learn more? Visit https://curl.haxx.se/ 


The following Curl options are used according to different situations: 


Option Description 

-X GET/POST The GET method or the POST method is used as per requirement. 

-H 'authorization: This option is used to provide a custom HTTP request header parameter 
Bearer «token» for authentication. Provide the JSON Web Token (JWT) received from 


Qualys authentication API in the following format: 
Authorization: Bearer «token» 
For information about Qualys authentication API, see Authentication. 


-H 'content-type: Denotes that content is in JSON format. 

application/json' 

-d @request.json Provide a request.json file for parameter input. 

--data-urlencode Used to encode spaces and special characters in the URL/Parameter 
values. 
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The sample below shows a typical Curl request using options mentioned above and how 
they interact with each other. 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v2/events/search -H 
'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 


Fetching more than ten thousand events 


FIM APIs are designed to fetch less that ten thousand (9999 events) per page for optimum 
performance. You can use the searchAfter parameter in order to fetch more than ten 
thousand events. 


First you need to use the sort parameter to sort events using a filter that has unique 
values such as ID, name, etc. Each event is returned with an identifier called sortValue. To 
fetch events beyond the current page size, in subsequent API requests, provide the 
sortValue of an event to the searchAfter parameter to fetch events after that specific 
event. 


searchAfter is supported for the following APIs: 


/fim/v2/events/search 
/fim/v2/events/ignore/search 
/fim/v2/incidents/{incidentId}/events/search 
/fim/v3/incidents/search 


For example, suppose you have fifteen thousand FIM events in your account. The first API 
request will only return 9999 events. To get events beyond 9999, in a subsequent API 
request, provide the sortValue of the 9999th event in the searchAfter parameter. The 
second API request will now fetch the remaining events starting from the 10000th event. 


For better performance, it is recommended to use smaller page sizes of 1000/2000 records. 


Example 
You need to sort a list before you can use searchAfter. 


Step 1) Search events using the sort parameter: 


Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v2/events/search -H 
'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 


{ 

"sort™:"([{\"dateTime\":\"desc\"}, {\"id\":\"desc\"}]", 
"pageSize":10 

} 
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Response: 
[ 


"sortValues": [ 
1556199372947, 
"9df007e9-9532-3558-a3a8-0b14d943670d" 

l, 

"data": { 
"dateTime": "2019-04-25T13:36:12.947+0000", 
"fullPath": 

"\\Device\\HarddiskVolume2\\Windows\\inf\\setupapi.app.log", 

"Severity": 4, 
"profiles": [ 


{ 


"name": "Minimum Baseline for PCI for Windows 
OS addTag", 
"rules": [ 
{ 
"Severity": 4, 
"number": 6, 
"name": "Rule-6", 
"description": null, 
"id": "9287a14c-8036-4403-af88- 
f98ae8f920fb", 
"type": "directory" 


l; 
"id": "03dc1773-ae2a-4d5f-a5b3-e662el4afbd2", 
"type": "WINDOWS", 
"category": { 
"name": "PCI", 
"id": "2dab5022-2fdd-11e7-93ae-92361f002671" 


l, 
"type": "File", 
"changedAttributes": null, 
"platform": "WINDOWS", 
"oldContent": null, 
"actor": { 
"process": "NPFInstall.exe", 
"processID": 8632, 
"imagePath": "\\Device\\HarddiskVolume2\\Program 
Files\\Npcap\\NPFInstall.exe", 
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"userName": "MALWARELAB-IOC\\Administrator", 
"userID": "s-1-5-21-122566442-3410611961- 
1220210811-500" 
DÉI 
"newContent": null, 
"customerld": "58p888be-a90f-e3be-838d-88877aee572pLp", 
"name": "setupapi.app.log", 
"action": "Attributes", 
"id": "9df007e9-9532-3558-a3a8-0b14d943670d", 
"asset": { 
"agentld": "f2a0a778-e5b6-4486-826d-a106762588a2a", 
"interfaces": [ 


{ 
"hostname": "MALWARELAB-IOC", 
"macAddress": "00:50:56:AA:6B:B8", 
"address": "10.115.77.190", 
"interfaceName": "Intel(R) PRO/1000 MT 
Network Connection" 
} 


l, 
"lastCheckedIn": "2019-04-25T13:51:48.0002", 
"created": "2018-11-01T04:58:21.000+0000", 
"hostId": "290890", 
"operatingSystem": "Microsoft Windows 7 Professional 
6.1.7601 Service Pack 1 Build 7601", 
"tags": | 
"7650412", 
"7655820", 
"7895614" 
l, 
"assetType": "HOST", 
"system": ( 
"LlastBoot": "2019-03-13T21:49:47.500Z" 
DÉI 
"ec2'si mul, 
"lastLoggedOnUser": ".\\Administrator", 
"netbiosName": "MALWARELAB-IOC", 
"name": "MALWARELAB-IOC", 
"agentVersion": "3.0.0.101", 
"updated": "2019-04-25T13:51:48.729+0000" 


by 
"class": "Disk" 


Td 
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"sortValues": [ 
1556199372947, 
"05a9bbea-d03c-3bc3-9421-5d3cbb8ac630" 
l; 
"data": { 
"dateTime": "2019-04-25T13:36:12.947+0000", 
"fullPath": 
"\\Device\\HarddiskVolume2\\Windows\\inf\\setupapi.app.log", 
"Severity": 4, 
"profiles": [ 
{ 
"name": "Minimum Baseline for PCI for Windows 
OS addTag", 
"rules": [ 
{ 
"Severity": 4, 
"number": 6, 
"name": "Rule-6", 
"description": null, 
"id": "9287a14c-8036-4403-af88- 
f98ae8f920fb", 
"type": "directory" 


l; 
"id": "03dc1773-ae2a-4d5f-a5b3-e662el4afbd2", 
"Lype": "WINDOWS", 
"category": { 
"name": "PCI", 
"id": "2dab5022-2fdd-11e7-93ae-92361f002671" 


1, 
"type": "File", 
"changedAttributes": null, 
"platform": "WINDOWS", 
"oldContent": null, 
"actore of 
"process": "NPFInstall.exe", 
"processID": 8632, 
"imagePath": "\\Device\\HarddiskVolume2\\Program 
Files\\Npcap\\NPFInstall.exe", 
"userName": "MALWARELAB-IOC\\Administrator", 
"userID": "s-1-5-21-122566442-3410611961- 
1220210811-500" 


), 
"newContent": null, 
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"customerld": "58p888be-a90f-e3be-838d-88877aee572p", 
"name": "setupapi.app.log", 
"action": "Attributes", 
"id": "05a9bbea-d03c-3bc3-9421-5d3cbb8ac630", 
"asset": { 
"agentld": "f2a0a778-e5b6-4486-826d-al67625882a2a", 
"interfaces": [ 


{ 
"hostname": "MALWARELAB-IOC", 
"macAddress": "00:50:56:AA:6B:B8", 
"address": "10.115.77.190", 
"interfaceName": "Intel(R) PRO/1000 MT 
Network Connection" 
} 


l, 
"lastCheckedIn": "2019-04-25T13:51:48.0002", 
"created": "2018-11-01T04:58:21.000+0000", 
"hostId": "290890", 
"operatingSystem": "Microsoft Windows 7 Professional 

6.1.7601 Service Pack 1 Build 7601", 
"tags": [ 

"7650412", 

"7655820", 

"7895614" 
l, 
"assetType": "HOST", 
"system": ( 

"lastBoot": "2019-03-13T21:49:47.5002Z" 
DÉI 
"ec2": null, 
"lastLoggedOnUser": ".\\Administrator", 
"netbiosName": "MALWARELAB-IOC", 
"name": "MALWARELAB-IOC", 
"agentVersion": "3.0.0.101", 
"updated": "2019-04-25T13:51:48.729+0000" 


b, 
"Class": "Disk" 


"sortValues": [ 
1556199372946, 
"d47984c3-71d8-36b5-84d4-bb0ec34af828" 
l; 
"data": { 
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"dateTime": "2019-04-25T13:36:12.946+0000", 
"fullPath": 

"\\Device\\HarddiskVolume2\\Windows\\inf\\setupapi.app.log", 
"Severity": 4, 


"profiles": [ 
{ 
"name": "Minimum Baseline for PCI for Windows 
OS addTag", 
"rules": [ 
{ 
"Severity": 4, 
"number": 6, 
"name": "Rule-6", 
"description": null, 
"id": "9287a14c-8036-4403-af88- 
f98ae8f920fb", 
"type": "directory" 


l, 
"id": "03dc1773-ae2a-4dqd5f-a5b3-e662el4afbd2", 
"type": "WINDOWS", 
"category": { 
"name": "PCI", 
"id": "2dab5022-2fdd-11e7-93ae-92361f002671" 


l, 
"type": "File", 
"changedAttributes": null, 
"platform": "WINDOWS", 
"oldContent": null, 
"actor": { 
"process": "NPFInstall.exe", 
"processID": 8632, 
"imagePath": "\\Device\\HarddiskVolume2\\Program 
Files\\Npcap\\NPFInstall.exe", 
"userName": "MALWARELAB-IOC\\Administrator", 
"userID": "S-1-5-21-122566442-3410611961- 
1220210811-500" 


DÉI 

"newContent": null, 

"customerld": "58p888be-a90f-e3be-838d-88877aee572p", 
"name": "setupapi.app.log", 

"action": "Attributes", 

"id": "d47984c3-71d8-36b5-84d4-bb0ec34af828", 
"asset": { 
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"agentld": "f2a0a778-e5b6-4486-826d-a106762588a2a", 
"interfaces": [ 


{ 
"hostname": "MALWARELAB-IOC", 
"macAddress": "00:50:56:AA:6B:B8", 
"address": "10.115.77.190", 
"interfaceName": "Intel(R) PRO/1000 MT 
Network Connection" 
} 


l, 
"lastCheckedIn": "2019-04-25T13:51:48.0002", 
"created": "2018-11-01T04:58:21.000+0000", 
"hostId": "290890", 
"operatingSystem": "Microsoft Windows 7 Professional 
6.1.7601 Service Pack 1 Build 7601", 
"tags" [| 
"7650412", 
"7655820", 
"7895614" 
l, 
"assetType": "HOST", 
"system": { 
"lastBoot": "2019-03-13T21:49:47.5002Z" 
DÉI 
"ec2": null, 
"lastLoggedOnUser": ".\\Administrator", 
"netbiosName": "MALWARELAB-IOC", 
"name": "MALWARELAB-IOC", 
"agentVersion": "3.0.0.101", 
"updated": "2019-04-25T13:51:48.729+0000" 


Fy 
"Class": "Disk" 


"sortValues": [ 
1556199372946, 
"0ac9f186-6787-339f-a768-929%b39da6725" 

l; 

"data": { 
"dateTime": "2019-04-25T13:36:12.946+0000", 
"fullPath": 

"\\Device\\HarddiskVolume2\\Windows\\inf\\setupapi.app.log", 

"Severity": 4, 
"profiles": [ 


{ 
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"name": "Minimum Baseline for PCI for Windows 
OS addTag", 
"rules": [ 
{ 
"Severity": 4, 
"number": 6, 
"name": "Rule-6", 
"description": null, 
"id": "9287a14c-8036-4403-af88- 
f98ae8f920fb", 
"type": "directory" 


l, 
"id": "03dc1773-ae2a-4d5f-a5b3-e662el4afbqa2", 


"Lype": "WINDOWS", 
"category": { 
"name": "PCI", 
"id": "2dab5022-2fdd-11e7-93ae-92361f002671" 


l, 
"type": "File", 
"changedAttributes": null, 
"platform": "WINDOWS", 
"oldContent": null, 
“actora of 
"process": "NPFInstall.exe", 
"processID": 8632, 
"imagePath": "\\Device\\HarddiskVolume2\\Program 
Files\\Npcap\\NPFInstall.exe", 
"userName": "MALWARELAB-IOC\\Administrator", 
"userID": "s-1-5-21-122566442-3410611961- 
1220210811-500" 


DÉI 
"newContent": null, 
"customerld": "58p888be-a90f-e3be-838d-88877aee572p", 
"name": "setupapi.app.log", 
"action": "Attributes", 
"id": "0ac9f186-6787-339f-a768-929539da6725", 
"asset": { 
"agentld": "f2a0a778-e5b6-4486-826d-a106762588a2a", 
"interfaces": [ 


{ 


"hostname": "MALWARELAB-IOC", 
"macAddress": "00:50:56:AA:6B:B8", 
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“address "10.T115.77.190"*", 
"interfaceName": "Intel(R) PRO/1000 MT 
Network Connection" 


l, 
"lastCheckedIn": "2019-04-25T13:51:48.0002", 
"created": "2018-11-01T04:58:21.000+0000", 
"hostId": "290890", 
"operatingSystem": "Microsoft Windows 7 Professional 
6.1.7601 Service Pack 1 Build 7601", 
"tags": [ 
"7650412", 
"7655820", 
"7895614" 
1, 
"assetType": "HOST", 
"system": { 
"lastBoot": "2019-03-13T21:49:47.500Z" 
DÉI 
“Mega null; 
"lastLoggedOnUser": ".\\Administrator", 
"netbiosName": "MALWARELAB-IOC", 
"name": "MALWARELAB-IOC", 
"agentVersion": "3.0.0.101", 
"updated": "2019-04-25T13:51:48.729+0000" 


hy 
terass: "Disk" 


), 


Step 2) Take one of the sortValues from the above response and provide it as input for 
searchAfter. This will fetch events after that particular sortValue. 


Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v2/events/search -H 
'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 


{ 

"sort": "({{\"dateTime\":\"desc\"}, {\"id\":\"desc\"}]", 
"pageSize":10, 
"searchAfter":[1556199372947,"05a9bbea-d03c-3bc3-9421- 
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5d3cbb8ac630"] } 
Response: 
[ 


"sortValues": [ 
1556199372946, 
"d47984c3-71d8-36b5-84d4-bb0ec34af828" 

l, 

"data": { 
"dateTime": "2019-04-25T13:36:12.946+0000", 
"fullPath": 

"\\Device\\HarddiskVolume2\\Windows\\inf\\setupapi.app.log", 

"Severity": 4, 
"profiles": [ 


{ 


"name": "Minimum Baseline for PCI for Windows 
OS addTag", 
"rules": [ 
{ 
"Severity": 4, 
"number": 6, 
"name": "Rule-6", 
"description": null, 
"id": "9287a14c-8036-4403-af88- 
f98ae8f920fb", 
"type": "directory" 


l; 
"id": "03dc1773-ae2a-4d5f-a5b3-e662el4afbd2", 
"type": "WINDOWS", 
"category": { 
"name": "PCI", 
"id": "2dab5022-2fdd-11e7-93ae-92361f002671" 


l, 
"type": "File", 
"changedAttributes": null, 
"platform": "WINDOWS", 
"oldContent": null, 
"actor": { 
"process": "NPFInstall.exe", 
"processID": 8632, 
"imagePath": "\\Device\\HarddiskVolume2\\Program 
Files\\Npcap\\NPFInstall.exe", 
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"userName": "MALWARELAB-IOC\\Administrator", 
"userID": "s-1-5-21-122566442-3410611961- 
1220210811-500" 
DÉI 
"newContent": null, 
"customerld": "58p888be-a90f-e3be-838d-88877aee572pLp", 
"name": "setupapi.app.log", 
"action": "Attributes", 
"id": "d47984c3-71d8-36b5-84d4-bb0ec34af828", 
"asset": { 
"agentld": "f2a0a778-e5b6-4486-826d-al67625882a2a", 
"interfaces": [ 


{ 
"hostname": "MALWARELAB-IOC", 
"macAddress": "00:50:56:AA:6B:B8", 
"address": "10.115.77.190", 
"interfaceName": "Intel(R) PRO/1000 MT 
Network Connection" 
} 


l, 

"lastCheckedIn": "2019-04-25T13:51:48.0002", 
"created": "2018-11-01T04:58:21.000+0000", 
"hostId": "290890", 

"operatingSystem": "Microsoft Windows 7 Professional 
6.1.7601 Service Pack 1 Build 7601", 
"tags": [ 

"7650412", 
"7655820", 
"7895614" 
l, 
"assetType": "HOST", 
"system": { 
"LlastBoot": "2019-03-13T21:49:47.500Z" 
DÉI 
"ec2'si mul, 
"lastLoggedOnUser": ".\\Administrator", 
"netbiosName": "MALWARELAB-IOC", 
"name": "MALWARELAB-IOC", 
"agentVersion": "3.0.0.101", 
"updated": "2019-04-25T13:51:48.729+0000" 


by 
"class": "Disk" 
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"sortValues": [ 
1556199372946, 
"Oac9f186-6787-339f-a768-929b39da6725" 
l; 
"data": { 
"dateTime": "2019-04-25T13:36:12.946+0000", 
"fullPath": 
"\\Device\\HarddiskVolume2\\Windows\\inf\\setupapi.app.log", 
"Severity": 4, 
"profiles": [ 
{ 
"name": "Minimum Baseline for PCI for Windows 
OS addTag", 
"rules": [ 
{ 
"Severity": 4, 
"number": 6, 
"name": "Rule-6", 
"description": null, 
"id": "9287a14c-8036-4403-af88- 
f98ae8f920fb", 
"type": "directory" 


l; 
"id": "03dc1773-ae2a-4d5f-a5b3-e662el4afbd2", 
"Lype": "WINDOWS", 
"category": { 
"name": "PCI", 
"id": "2dab5022-2fdd-11e7-93ae-92361f002671" 


1, 

"type": "File", 

"changedAttributes": null, 

"platform": "WINDOWS", 

"oldContent": null, 

"actors of 
"process": "NPFInstall.exe", 
"processID": 8632, 
"imagePath": "\\Device\\HarddiskVolume2\\Program 

Files\\Npcap\\NPFInstall.exe", 
"userName": "MALWARELAB-IOC\\Administrator", 
"userID": "s-1-5-21-122566442-3410611961- 
1220210811-500" 


), 
"newContent": null, 


20 


Chapter 1 - Welcome 
Introduction to FIM API Paradigm 


"customerld": "58p888be-a90f-e3be-838d-88877aee572pbp", 
"name": "setupapi.app.log", 
"action": "Attributes", 
"id": "0ac9f186-6787-339f-a768-929539da6725", 
"asset": { 
"agentId": "f2a0a778-e5b6-4486-826d-a106762588a2a", 
"interfaces": [ 


{ 
"hostname": "MALWARELAB-IOC", 
"macAddress": "00:50:56:AA:6B:B8", 
"address": "10.115.77.190", 
"interfaceName": "Intel(R) PRO/1000 MT 
Network Connection" 
} 


l, 
"lastCheckedIn": "2019-04-25T13:51:48.0002", 
"created": "2018-11-01T04:58:21.000+0000", 
"hostId": "290890", 
"operatingSystem": "Microsoft Windows 7 Professional 
6.1.7601 Service Pack 1 Build 7601", 
"tags": [ 
"7650412", 
"7655820", 
"7895614" 
l, 
"assetType": "HOST", 
"system": ( 
"lastBoot": "2019-03-13T21:49:47.5002Z" 
DÉI 
"ec2": null, 
"lastLoggedOnUser": ".\\Administrator", 
"netbiosName": "MALWARELAB-IOC", 
"name": "MALWARELAB-IOC", 
"agentVersion": "3.0.0.101", 
"updated": "2019-04-25T13:51:48.729+0000" 


b, 
"Class": "Disk" 


"sortValues": [ 
1556199372943, 
"eea0d64e-31ca-3269-91ed-cfb1112fbf17" 
l; 
"data": { 
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"dateTime": "2019-04-25T13:36:12.943+0000", 

"fullPath": 
"\\Device\\HarddiskVolume2\\Windows\\inf\\setupapi.app.log", 

"Severity": 4, 

"profiles": [ 


{ 


"name": "Minimum Baseline for PCI for Windows 
OS addTag", 
"rules": [ 
{ 
"Severity": 4, 
"number": 6, 
"name": "Rule-6", 
"description": null, 
"id": "9287a14c-8036-4403-af88- 
f98ae8f920fb", 
"type": "directory" 


l, 
"id": "03dc1773-ae2a-4dqd5f-a5b3-e662el4afbd2", 
"type": "WINDOWS", 
"category": { 
"name": "PCI", 
"id": "2dab5022-2fdd-11e7-93ae-92361f002671" 


l, 
"type": "File", 
"changedAttributes": null, 
"platform": "WINDOWS", 
"oldContent": null, 
"actor": { 
"process": "NPFInstall.exe", 
"processID": 8632, 
"imagePath": "\\Device\\HarddiskVolume2\\Program 
Files\\Npcap\\NPFInstall.exe", 
"userName": "MALWARELAB-IOC\\Administrator", 
"userID": "S-1-5-21-122566442-3410611961- 
1220210811-500" 


DÉI 

"newContent": null, 

"customerld": "58p888be-a90f-e3be-838d-88877aee572p", 
"name": "setupapi.app.log", 

"action": "Attributes", 

"id": "eea0d64e-31ca-3269-91ed-cfb1112fbf17", 
"asset": { 
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"agentld": "f2a0a778-e5b6-4486-826d-a106762588a2a", 
"interfaces": [ 


{ 
"hostname": "MALWARELAB-IOC", 
"macAddress": "00:50:56:AA:6B:B8", 
"address": "10.115.77.190", 
"interfaceName": "Intel(R) PRO/1000 MT 
Network Connection" 
} 


1, 

"lastCheckedIn": "2019-04-25T13:51:48.0002", 
"created": "2018-11-01T04:58:21.000+0000", 
"hostId": "290890", 


"operatingSystem": "Microsoft Windows 7 Professional 


6.1.7601 Service Pack 1 Build 7601", 
"tags": [ 
"7650412", 
"7655820", 
"7895614" 
l, 
"assetType": "HOST", 
"system": { 
"lastBoot": "2019-03-13T21:49:47.5002Z" 
DÉI 
"ec2": null, 
"lastLoggedOnUser": ".\\Administrator", 
"netbiosName": "MALWARELAB-IOC", 
"name": "MALWARELAB-IOC", 
"agentVersion": "3.0.0.101", 
"updated": "2019-04-25T13:51:48.729+0000" 


"Class": "Disk" 
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Use these API functions to fetch FIM event data. 


Fetch events 
Get event count 


Fetch event details 


Fetch events 
/fim/v2/events/search 


[POST] 


Get FIM events from the user account. 


Input Parameters 


filter (String) 


Filter the events list by providing a query using Qualys syntax. 
Refer to the “How to Search" topic in the online help for 
assistance with creating your query. 

For example - dateTime:[2019-02-25T18:30:00.000Z'..'2019-02- 
26T18:29:59.999Z'] AND action: 'Create' 

You can filter events based on the time they are generated on 
the asset (dateTime) or based on the time they are processed 
at Qualys (processedTime). 

Note: For the dateTime filter start date should not be lower 
than 2017-01-01. The processedTime filter can be used only 
for events generated post FIM release 2.0.2. 


pageNumber (String) 


The page to be returned. Starts from zero. 


pageSize (String) 


The number of records per page to be included in the 
response. Default is 10. 


sort (String) 


Sort the results using a Qualys token. For example - 
(VactionVV'ascV]] 


incidentContext (Boolean) 


Search within incidents. Default is false. 


incidentlds (String) 


List of incident IDs to be included while searching for events 
in incidents. 


Authorization (String) 


Required) Authorization token to authenticate to the Qualys 
Cloud Platform. 

Prepend token with "Bearer" and one space. For example - 
Bearer auth Token 
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Sample 1 


Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v2/events/search -H 
'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 
{ 
"pageSize":100, 
"filter": "profiles.name: Windows Profile - PCI(NJJ)" 
} 


Response: 
[ 


"sortValues": [], 

"data": { 
"dateTime": "2018-04-25T17:33:29.806+0000", 
We ENEE Eege Ke 


"\\Device\\HarddiskVolume2\\Windows\\System32\\config\\systemprofi 
le\\ntuser.dat", 
"Severity": 4, 
"profiles": [ 
{ 
"name": "Windows Profile - PCI(NJJ)", 
"rules": [ 
{ 
"Severity": 4, 
"description": null, 
"id": "d6éeb7£77-3726-47b3-90d8-3ecc8d8978e0", 
"type": "directory" 
} 
l, 
"id": "1c3b44f4-fd76-4c4d-8a4e-bebdad5fal24", 
"Lype": "WINDOWS", 
"category": null 
} 
l, 
"type": "File", 
"changedAttributes": [ 
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l, 
"platform": "WINDOWS", 
"oldContent": null, 
actor": 4 
"process": "QualysAgent.exe", 
"processID": 11280, 
"imagePath": "\\Device\\HarddiskVolume2\\Program 
Files\\Qualys\\QualysAgent\\QualysAgent.exe", 
"userName": "NT AUTHORITY\\SYSTEM", 
"userID": "s-1-5-18" 
DÉI 
"newContent": null, 
"customerld": "58p888be-a90f-e3be-838d-88877aee572p", 
"name": "ntuser.dat", 


"action": "Attributes", 
"id": "af8b4ba2-d773-307a-834b-415e6b28d31f", 
"asset": { 
"agentId": "04b3dd30-e731-4d0d-a921-20b6b2d2997c", 
"interfaces": [ 
{ 
"hostname": "CAAUTOMATION-PC", 
"macAddress": "00:50:56:9F:FF:54", 
"address": "10.113.197.104", 
"interfaceName": "Intel(R) PRO/1000 MT Network 
Connection" 
} 
l, 
"lastCheckedIn": "2018-04-26T05:52:19.0002", 
"Created": 1523941162000, 
"hostId": null, 
"operatingSystem": "Microsoft Windows 7 Professional 
6.1.7601 Service Pack 1 Build 7601", 
"tags": [ 
"7650412", 
"7655820", 
"7895614" 
l, 
"assetType": "HOST", 
"system": { 
"lastBoot": "2018-01-15T12:37:35.0002Z" 
DÉI 
teca" null, 
"lastLoggedOnUser": ".\\Administrator", 
"netbiosName": "CAAUTOMATION-PC", 
"name": "CAAUTOMATION-PC", 
"agentVersion": "2.0.6.1", 
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"updated": 1524721941789 
), 


"Class": "Disk" 
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Sample 2 


Request: 
curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v2/events/search -H 
'authorization: Bearer ' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 
{ 
"pageSize":100, 
"filter":"reputationStatus: MALICIOUS" 
) 


Response: 
[ 


"sortValues": [], 

"data"; { 
"dateTime": "2021-01-25T17:33:29.806+0000", 
"fullPath": 


"\\Device\\HarddiskVolume2\\Windows\\System32\\config\\systemprofi 
le\\Terminator.exe", 
"Severity": 4, 


"profiles": [ 
{ 
"name": "Terminator.exe", 
"rules": [ 


{ 
"Severity": 4, 
"description": null, 
"id": "d6éeb7£77-3726-47b3-90d8-3ecc8d8978e9", 
"type": "directory" 
} 
l, 
"id": "1c3b44f4-fd76-4c4d-8a4e-bebdad5fal24", 
"Lype": "WINDOWS", 
"category": null 
} 
l, 


"type": "File", 
"changedAttributes": [ 
2, 
4, 
8, 
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16 
l; 
"platform": "WINDOWS", 
"oldContent": null, 
"actore 
"process": "update.exe", 
"processID": 11280, 
"imagePath": "C:\\Windows\\system32\\update.exe", 
"userName": "NT AUTHORITY\\SYSTEM", 
"userID": "S-1-5-18" 
DÉI 
"newContent": null, 
"customerld": "58p888be-a90f-e3be-838d-88877aee572p", 
"name": "ntuser.dat", 


"action": "Create", 
"id": "af8b4ba2-d773-307a-834b-415e6b28d31f", 
"asset": { 
"agentId": "04b3dd30-e731-4d0d-a921-20b6b2d2997c", 
"interfaces": [ 
{ 
"hostname": "CAAUTOMATION-PC", 
"macAddress": "00:50:56:9F:FF:54", 
"address": "10.113.197.104", 
"interfaceName": "Intel PRO/1000 MT Network Connection" 
i 
l, 
"lastCheckedIn": "2018-04-26T05:52:19.0002", 
"Created": 1523941162000, 
"hostId": null, 
"operatingSystem": "Microsoft Windows 10 Pro 10.0.10586 N/A 
Build 10586", 
"tags": [ 
"7650412", 
"716558207, 
"7895614" 
1, 
"assetType": "HOST", 
"system": ( 
"lastBoot": "2018-01-15T12:37:35.0002Z" 
DÉI 
"ec2": null, 
"lastLoggedOnUser": ".\\Administrator", 
"netbiosName": "CAAUTOMATION-PC", 
"name": "CAAUTOMATION-PC", 
"agentVersion": "2.0.6.1", 
"updated": 1524721941789 
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), 

"elass e "Disk", 

"fileContentHash": 

"50dc26047f5572a38aa7adb4e9b140dc301ea41d1f4bed5095aled7fc1qd03fbc" 

"reputationStatus": "MALICIOUS", 

"fileCertificateHash": [ 
"dl2bed1761e1b2c244db23cebe4185c2b0839%eee", 
"7ade32c9b68b944pf291dlfcc59faef061a6d2f2" 

l; 

"trustStatus": "UNTRUSTED" 
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Sample 3 


Request: 
curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v2/events/search 
'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 
( 
"pageSize":100, 
"filter":"registryKey.name: Data" 


} 


Response: 


[ 
{ 
"sortValues": [], 
"data": f 
"dateTime": "2021-03-05T11:28:36.455+0000", 
"fullPath": 
"HKEY LOCAL MACHINE\\Software\\Microsoft\\Windows 
NT\\CurrentVersion\\Image File Execution Options\\Data", 


"type": "Value", 

"platform": "WINDOWS", 

"oldContent": null, 

"newContent": null, 

"customerld": "OOXXXX-643f-f4af-8336-b253066XXXX", 
"action": "Content", 

"id": "el15XXXX-af72-37b5-8f92-%878bbbba53", 
"severity": 3, 

"fileCertificateHash": null, 

"profiles": [ 


{ 


"name": "Profile Name", 
"rules": [ 
{ 
"Severity": 3, 
"number": 1, 
"name": "Rule 1", 
"description": "Rule 1", 
"section": null, 


Fetch events 


"id": "4282XXXX-cc33-49d8-82df-53a800e27XXXX", 


"type" : "key" 
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l, 
"id": "f99941de-2296-4044-bfca-05aeb4575ef5", 


"Lype": "WINDOWS", 
"category": { 
"name": "PCI", 


"id": "2dabXXXX-2fdd-11e7-93ae-92361f00XXXX" 


} 
l; 
"changedAttributes": null, 
"processedTime": "2021-03-05T05:37:30.311+0000", 


"actor". 
"process": "reg.exe", 
"processID": 2811, 
"imagePath": "C:\\Windows\\System32\\reg.exe", 
"userName": "MSEDGEWIN10\\IEUser", 


"userID": "S-1-5-21-3461203602-4096304019-2269080069-1000" 
), 


"name": null, 
"asset": { 
"agentId": "7c99XXXX-92fa-4943-91ab-249e341dd10d", 
"interfaces": [ 
{ 
"hostname": "WIN10-122.WORKGROUP", 
"macAddress": "00:50:56:AA:5C:85", 
"address": "10.115.98.122", 
"interfaceName": "Intel(R) 82574L Gigabit Network 
Connection" 
} 


l, 
"lastCheckedIn": "2019-07-23T11:01:00.0002", 
"created": "2021-01-11T06:40:09.930+0000", 
"hostId": null, 
"operatingSystem": "Microsoft Windows 10 Pro 10.0.10586 N/A 
Build 10586", 
"tags" I 
"7508831", 
"7526815", 
"7503230" 
l, 
"assetType": "HOST", 
"system": { 
"lastBoot": "2019-07-23T11:01:00.0002Z" 
DÉI 
"ec2": null, 
"lastLoggedOnUser": ".\\Administrator", 
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"netbiosName": "WIN10-122", 


"name": "WIN10-122", 


"agentVersion": "3.0.0.101", 
"updated": "2021-01-11T06:40:09.930%+0000" 


), 
"fileContentHash": null, 
"reputationStatus": null, 
"registryPath": 


"HKEY LOCAL MACHINE\\Software\\Microsoft\\Windows 


NT\\CurrentVersion\\Image File Execution Options", 


"registryName": "Data", 


"oldRegistryValueType": "REG MULTI SZ", 


"oldRegistryValueContent": 
"Multvalue string", 


"Multvalue string" 


l, 


[ 


"newRegistryValueType": "REG MULTI SZ", 


"newRegistryValueContent": 
"Multvalue stringl", 


"Multvalue string2" 
l, 


"class": "Registry" 
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Get number of FIM events logged. 


Input Parameters 


filter (String) 


Filter the events list by providing a query using Qualys syntax. 
Refer to the “How to Search” topic in the Online help for 
assistance with creating your query. 

For example - dateTime:[2019-02-25T18:30:00.000Z'..'2019-02- 
26T18:29:59.999Z'] AND action: 'Content' 

You can filter events based on the time they are generated on 
the asset (dateTime) or based on the time they are processed 
at Qualys (processedTime). 

Note: For the dateTime filter start date should not be lower 
than 2017-01-01. The processedTime filter can be used only 
for events generated post FIM release 2.0.2. 


groupBy (String) 


Group results based on certain parameters (provide comma 
separated list). 
For example - action 


limit (String) 


Limit the number of rows fetched by the groupBy function. 


sort (String) 


Sort the results using a Qualys token. For example - 
WNdateTimeV'W'ascW')] 


interval (String) 


GroupBy interval for date fields. Valid values are y(year), 
q(quarter), M(month), w(week), d(day), h(hour), m(minute), 
s(second). For example - 1d 

An interval lower than a second is not supported. 

Note: Value for each interval period should be 1. For example, 
you can specify an interval of 1y, 1M, 1w, and so on, but not 
2y, 3M, etc. 


incidentContext (Boolean) 


Search within incidents. Default is false. 


incidentlds (String) 


List of incident IDs to be included while searching for events 
in incidents. 


Authorization (String) 


(Required) Authorization token to authenticate to the Qualys 
Cloud Platform. 

Prepend token with "Bearer" and one space. For example - 
Bearer authToken 


Sample 


Request: 
curl -X POST 


https: //gateway.agl.apps.qualys.com/fim/v2/events/count -H 


'authorization: 
application/json' 


Bearer «token»' -H 'content-type: 
-d @request.json 
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"groupBy": ["profiles.rules.type", "profiles.rules.severity", "profil 
es.rules.id"] 


} 


Response: 
{ 


"directory": { 
"nns { 


), 


"290£7715-125b-4514-817b-7974444ac59d": 
"25e681d0-522b-4a2c-b0e6-865p25b47£77£": 
"611c3a90-1ad5-4b5b-ad88-9edd62182031": 
"3e447775-418a-424c-8279-5567a89cf811": 
"d82d238e-53a3-49b8-8e5b-ade3244e4f07": 
"ae25c204-a184-4c71-b7df-b1267692666a": 
"9c10eaaf-8725-426b-8e6508-793364269b6c": 
"61993871-66cb-4966-a3ab-9b3ec6066858": 


now. { 


), 


"df74b8e2-704b-419%e-818e-3c7f4e4a2838": 
"c9a0d542-2d00-4a34-8ffd-b07a4826739a": 
"OQca5cbh5e-f638-4c9f-b007-fa2a37elfc49": 
"828d233b-5958-4867-bb8f-8514afd0a697": 
"8bf9c8c6-03a7-44be-9f4b-fb52ca0b14a4": 
"9e923f5d-85b1-42eb-beba-2021e56609af": 
"838albd0-910p-467a-88d0-ab5fa7ac9ba6": 
"0a514a18-6ee0-47c1-98da-071a5c0b3dd6": 
"df742229-0abd-4038-b39c-1e99b4c97273": 
"69482025-4b82-4c68-8e36-16ddd4cfbe69": 


wou. { 


"e8b4dc7b-3450-4cb2-a265-2d49534a7c62": 
"b7518092-541a-432e-81d6-8bdba04eead4": 
"94963cf2-e01d-44da-a320-9ce650832670£": 
"9bed868e-750c-4b5b-841a-5827d4d2186a": 
"158alaad-bd57-4a35-8fee-937181bce082": 
"9d9ce724-a0ba-42f0-9305-1019d57b9024": 
"c996ebc2-2915-4ef3-a518-bfbabaci6e03": 
"c9a0d542-2d00-4a34-8ffd-b07a4826739a": 
"df742229-0abd-4038-b39c-1e99b4c97273": 
"df74b8e2-704b-419%e-818e-3c7f4e4a2838": 
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1760, 
1277, 
942, 
395, 
364, 
296, 
239, 
49, 
26, 
26 


), 


wan, { 


), 


"29724aad-2279-4664-bfle-a4e5cdf458f8": 
"37118a46-f£57f£-4db4-8£90-b3ddd9d27796": 
"9287a14c-8036-4403-af88-f98ae8£920£fb": 
"04aebb37-c9bl1-4b19-a6e0-aefel035bbeb": 
"e75ceb46-5d15-4562-9825-13a9378722b8": 
"67988adf-9af9-4623-8a92-097e46dadcec": 
"881e9489-2c12-4182-a790-4d40808ac2ad": 
"7af95303-9cf8-477hb-980c-1dc52003ae28": 
"304501ca-f8a6-4190-a752-2fbf21c0613b": 
"939cd6a9-f651-4a2e-aa9d-395afab04592": 


wow. { 


} 
), 


"97e14351-ba%e-4af3-bca9-643c3d7c3410": 
"feccóbe3-bb79-460e-8b26-11dd82799e14": 
"3cl67cbb-ef59-43ce-8a38-95ccc6a9d93e": 
"c9a0d542-2d00-4a34-8ffd-b07a4826739a": 
"df74b8e2-704b-419%e-818e-3c7f4e4a2838": 
"9cabcb5e-f638-4c9f-b007-fa2a37elfc49": 
"1bdb2e8b-3de0-4ec5-9d7a-dc1926919612": 
"f7c18f£88-f£94e-4060-a7ef-74775f4 7af9a5": 
"637d£747-9b6e-43e3-a4ac-d3c50277ba38": 
"f8d2340e-7efb-4cb9-8273-edeb4403£7c6": 


"file": ( 
"qms { 


), 


"ae25c204-a184-4c71-b7df-b1267692666a": 
"57£d59b2-c0ca-47bb-9652-9cd0119e33bb": 


"3n. { 


), 


"57fd59b2-c0ca-47bb-96b2-9cd0119e33bb": 
"9ad7a143-b2e4-440f-be68-26042c0£f8e3f": 
"ae25c204-a184-4c71-b7df-b1267692666a": 
"80bda0f3-a37b-40c3-af41-ed51eb70da7e": 


wan. { 


), 


"80bda0f3-a37b-40c3-af41-ed51eb70da7e": 
"fe0b4a7e-cbb0-4589-9d2e-0867afbfldA4f": 
"1a087al1d-001a-49a2-91c8-ac7127eced84": 
"9ad7a143-b2e4-440f-be68-26042c0£f8e3f": 


"om: { 


"fe0b4a7e-cbb0-4589-9d2e-0867afbfld4f": 
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8912801, 
214872, 
79785, 
63629, 
55542, 
28026, 
24935, 
24387, 
22169, 
19797 


493263, 
136166, 
109226, 
49283, 
49274, 
37664, 
29212, 
19651, 
17145, 
16584 


14, 
14 


144, 
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"80bda0f3-a37b-40c3-af41l-ed51eb70da7e": 144, 
"8be4e5fd-cf77-4ca6-a7a7-3adalc15067a": 19, 
"57fd59b2-c0ca-47bb-96b2-9cd0119e33bb": 17, 
"ae25c204-a184-4c71-b7df-b1267692666a": 16, 
"f21d22c0-6954-4p71-ab6e-7c8d5b673d2f": 1, 
"d12c2959-c695-418f-8706-6a9a0eca7bc0O": 1, 
"ec356ca7-9800-4e28-8491-4deb29bel4ce": 1 


Fetch event details 
/fim/v2/events/{eventld} 
[GET] 


Fetch details for an event. 


Input Parameters 


eventld (String) (Required) ID of the event you want to fetch the details for. 


Authorization (String) (Required) Authorization token to authenticate to the Qualys 
Cloud Platform. 
Prepend token with "Bearer" and one space. For example - 
Bearer auth Token 


Sample 1 


Request: 
curl -X GET 
https://gateway.qgl.apps.qualys.com/fim/v2/events/af8b4ba2-d773- 
307a-834b-415e6b28d31f -H ‘authorization: Bearer <token>' -H 
'content-type: application/json' 


Response: 
{ 

"dateTime": "2018-04-25T17:33:29.806+0000", 

"fullPath": 
"\\Device\\HarddiskVolume2\\Windows\\System32\\config\\systemprofi 
le\\ntuser.dat", 

"Severity": 4, 


"profiles": [ 
{ 
"name": "Windows Profile - PCI(NJJ)", 
"rules": [ 


{ 
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"severity": 4, 
"description": null, 
"id": "d6eb7f77-3726-47b3-90d8-3ecc8d8978e0", 
"Lype": "directory" 
) 
l, 
"id": "1c3b44f4-fd76-4c4d-8a4e-bebdad5fal24", 
"Lype": "WINDOWS", 
"category": null 
) 
l, 
"type": "File", 
"changedAttributes": [ 


16 
l, 
"platform": "WINDOWS", 
"oldContent": null, 
actor" <{ 
"process": "QualysAgent.exe", 
"processID": 11280, 
"imagePath": "\\Device\\HarddiskVolume2\\Program 
Files\\Qualys\\QualysAgent\\QualysAgent.exe", 
"userName": "NT AUTHORITY\\SYSTEM", 
"userID": "s-1-5-18" 
DÉI 
"newContent": null, 
"customerld": "58p888be-a90f-e3be-838d-88877aee572pbp", 
"name": "ntuser.dat", 


"action": "Attributes", 
"attributes": ( 
"OGId' null, 
"new": [ 
"Archive" 
] 
), 
"id": "af8b4ba2-d773-307a-834b-415e6b28d31f", 
"asset": { 
"agentId": "04b3dd30-e731-4d0d-a921-20b6b2d2997c", 
"interfaces": [ 
{ 
"hostname": "CAAUTOMATION-PC", 
"macAddress": "00:50:56:9F:FF:54", 
"address": "10.113.197.104", 
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"interfaceName": "Intel(R) PRO/1000 MT Network Connection" 
} 
l, 
"lastCheckedIn": "2018-04-26T05:52:19.0002", 
"Created": 1523941162000, 
"hostId": null, 
"operatingSystem": "Microsoft Windows 7 Professional 6.1.7601 


Service Pack 1 Build 7601", 


), 


"tagste. 

"6504127, 

"7655820", 

"7895614" 
1, 
"assetType": "HOST", 
"system": ( 

"lastBoot": "2018-01-15T12:37:35.000Z" 
DÉI 
"ec2": null, 
"lastLoggedOnUser": ".\\Administrator", 
"netbiosName": "CAAUTOMATION-PC", 
"name": "CAAUTOMATION-PC", 
"agentVersion": "2.0.6.1", 
"updated": 1524721941789 


"Class": "Disk" 
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Sample 2 


Request: 
curl -X GET 
https://gateway.qgl.apps.qualys.com/fim/v2/events/f5892105-0100- 
3dbb-a007-556fae7afea5 -H 'authorization: Bearer ' -H 'content- 
type: application/json' 


Response: 
{ 
"dateTime": "2018-04-25T17:33:29.806+0000", 
"fullPath": 
"\\Device\\HarddiskVolume2\\Windows\\System32\\config\\systemprofi 
le\\Terminator.exe", 
"Severity": 4, 
"profiles": [ 
{ 
"name": "Windows Profile - PCI(NJJ)", 
"rules": [ 
{ 


"Severity": 4, 


"description": null, 
"id": "d6éeb7£77-3726-47b3-90d8-3ecc8d8978e0", 
"type": "directory" 
} 
l, 
"id": "£589a105-0100-3dbb-a007-556fae7afea5", 
"type": "WINDOWS", 
"category": null 
} 
l, 
"type": "File", 
"changedAttributes": [ 


16 
l, 
"platform": "WINDOWS", 
"oldContent": null, 
"actor'"s 1 
"process": "update.exe", 
"processID": 11280, 
"imagePath": "C:\\Windows\\system32\\update.exe", 
"userName": "NT AUTHORITYNNSYSTEM", 
"userID": "s-1-5-18" 
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DÉI 
"newContent": null, 
"customerld": "58p888be-a90f-e3be-8384d-88877aee572p", 
"name": "Terminator.exe", 
"action": "Attributes", 
"attributes": ( 
"old": null, 
"new": [ 
"Archive" 
] 
DÉI 
"id": "af8b4ba2-d773-307a-834b-415e6b28d31f", 
"asset": { 
"agentId": "04b3dd30-e731-4d0d-a921-20b6b2d2997c", 
"interfaces": [ 
{ 
"hostname": "CAAUTOMATION-PC", 
"macAddress": "00:50:56:9F:FF:54", 
"address": "10.113.197.104", 
"interfaceName": "Intel(R) PRO/1000 MT Network Connection" 
} 
l; 
"lastCheckedIn": "2018-04-26T05:52:19.0002", 
"Created": 1523941162000, 
"hostId": null, 
"operatingSystem": "Microsoft Windows 7 Professional 6.1.7601 
Service Pack 1 Build 7601", 
"tags"s[ 
"7650412", 
"7655820", 
"7895614" 
l; 
"assetType": "HOST", 
"system": { 
"lastBoot": "2018-01-15T712:37:35.000z" 
DÉI 
"ec2": null, 
"lastLoggedOnUser": ".\\Administrator", 
"netbiosName": "CAAUTOMATION-PC", 
"name": "CAAUTOMATION-PC", 
"agentVersion": "2.0.6.1", 
"updated": 1524721941789 
DÉI 
"Glass": "Disk", 
"fileContentHash": 
"50dc26047£5572a38aa7adb4e9b140dc301ea41d1f4bed5095aled7fc1d03fbc" 
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"reputationStatus": "MALICIOUS", 

"fileCertificateHash": [ 
"d12bed176lelb2c244db23cebe4185c2b0839eee", 
"Tade32c9b68b944bF291dlfcc59faef06la6d2f2" 

l; 

"trustStatus": "UNTRUSTED" 
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Sample 3 


Request: 
curl -X GET 
https://gateway.qgl.apps.qualys.com/fim/v2/events/ell5XXXX-af72- 
37b5-8£92-9e878bbbba53 -H 'authorization: Bearer ' -H 'content- 
type: application/json' 


Response: 
{ 
"dateTime": "2021-03-05T11:28:36.455+0000", 
"fullPath": 
"HKEY LOCAL MACHINE\\Software\\Microsoft\\Windows 
NT\\CurrentVersion\\Image File Execution Options\\Data", 
"type": "Value", 
"platform": "WINDOWS", 
"oldContent": null, 
"newContent": null, 
"customerld": "00XXXX-643f-f%af-8336-b253066XXXX", 
"action": "Content", 
"id": "el15XXXX-af72-37b5-8f92-%e878bbbba53", 
"severity": 3, 
"fileCertificateHash": null, 
"profiles": [ 
{ 


"name": "Profile Name", 
"rules": [ 
{ 
"Severity": 3, 
"number": 1, 
"name": "Rule 1", 
"description": "Rule 1", 
"section": null, 
"id": "4282XXXX-cc33-49d8-82df-53a00e27XXXX", 
"type": "key" 
} 
l, 
"id": "f99941de-2296-4044-bfca-05aeb4575ef5", 
"type": "WINDOWS", 
"category": { 
"name": "PCI", 
"id": "2dabXXXX-2fdd-11e7-93ae-92361f00XXXX" 


} 
l, 
"changedAttributes": null, 
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"processedTime": "2021-03-05T05:37:30.311+0000", 
"actor": { 

"process": "reg.exe", 

"processID": 2811, 

"imagePath": "C:\\Windows\\System32\\reg.exe", 

"userName": "MSEDGEWIN10\\IEUser", 

"userID": "S-1-5-21-3461203602-4096304019-2269080069-1000" 
), 


"name": null, 


"asset": { 
"agentId": "7c99XXXX-92fa-4943-91ab-249e341dd10d", 
"interfaces": [ 


{ 
"hostname": "WIN10-122.WORKGROUP", 
"macAddress": "00:50:56:AA:5C:85", 
"address": "10.115.98.122", 
"interfaceName": "Intel(R) 82574L Gigabit Network 
Connection" 
} 


l, 
"lastCheckedIn": "2019-07-23T11:01:00.0002", 
"created": "2021-01-11T06:40:09.930+0000", 
"hostId": null, 
"operatingSystem": "Microsoft Windows 10 Pro 10.0.10586 N/A 
Build 10586", 
"tags" I 
"7508831", 
"7526815", 
"7593230" 
l, 
"assetType": "HOST", 
"system": { 
"lastBoot": "2019-07-23T11:01:00.0002Z" 
DÉI 
"ec2": null, 
"lastLoggedOnUser": ".\\Administrator", 
"netbiosName": "WIN10-122", 
"name": "WIN10-122", 
"agentVersion": "3.0.0.101", 
"updated": "2021-01-11T06:40:09.930+0000" 
DÉI 
"fileContentHash": null, 
"reputationStatus": null, 
"registryPath": 
"HKEY LOCAL MACHINE\\Software\\Microsoft\\Windows 
NT\\CurrentVersion\\Image File Execution Options", 
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"registryName": "Data", 
"oldRegistryValueType": "REG MULTI SZ", 
"oldRegistryValueContent": [ 


"Multvalue string", 
"Multvalue string" 


"newRegistryValueType": "REG MULTI SZ", 
"newRegistryValueContent": [ 


"Multvalue stringl", 


"Multvalue string2" 


"Class": "Registry" 
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Use these API functions to fetch FIM event data for ignored events. 
Fetch ignored events 
Get ignored events count 


Fetch ignored event details 


Fetch ignored events 
/fim/v2/events/ignore/search 
[POST] 

Get FIM events that are ignored. 


Input Parameters 


filter (String) Filter the events list by providing a query using Qualys syntax. 
Refer to the “How to Search” topic in the online help for 
assistance with creating your query. 

For example - dateTime:[2019-02-25T18:30:00.000Z'..'2019-02- 
26T18:29:59.999Z'J 

You can filter events based on the time they are generated on 
the asset (dateTime) or based on the time they are processed 
at Qualys (processedTime). 

Note: For the dateTime filter start date should not be lovver 
than 2017-01-01. The processedTime filter can be used only 
for events generated post FIM release 2.0.2. 


pageNumber (String) The page to be returned. Starts from zero. 


pageSize (String) The number of records per page to be included in the 
response. Default is 10. 


sort (String) Sort the results using a Qualys token. For example - 
[(VactionV:VascV]] 


Authorization (String) (Required) Authorization token to authenticate to the Qualys 
Cloud Platform. 
Prepend token with "Bearer" and one space. For example - 
Bearer auth Token 
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Sample 1 


Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v2/events/ignore/search -H 
'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 
{ 
"pageSize":1, 
"filter":"dateTime: ['2018-06-25T18:30:00.000Z'..'2019-02- 
20T18:29:59.9997']" 
} 


Response: 
[ 


"sortValues": [], 
"data": { 
"dateTime": "2018-07-12T15:19:33.704+0000", 
"fullPath": 
"\\Device\\HarddiskVolume2\\FIM\\MobaXterm installer.msi", 
"severity": 5, 


"profiles": [ 
( 
"name": "Bug Test 1", 
"rules": [ 
{ 
"Severity": 2, 
"description": "", 
"id": "df74b8e2-704b-419e-818e-3c7f4e4a2838", 
"Lype": "directory" 
) 
l, 
"id": "a0f61a71-fc03-4d9e-a234-fb39afa35d66", 
"Lype": "WINDOWS", 
"category": { 
"name": "PCI", 
"id": "2dab5022-2fdd-11e7-93ae-92361f002671" 


"name": "Bug Test Profile", 
"rules": [ 


{ 
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"severity": 5, 

"description": "", 

"id": "c9a0d542-2d00-4a34-8ffd-b07a4826739a", 
"Lype": "directory" 


} 


"id": "f214c35a-441e-450a-b817-2f162add6854", 
"type": "WINDOWS", 
"category": { 


} 
l, 


"name": "PCI", 
"id": "2dab5022-2fdd-11e7-93ae-92361f002671" 


"type": "File", 
"changedAttributes": null, 
"platform": "WINDOWS", 
"oldContent": null, 
"actor": + 


"process": "Explorer.EXE", 


"processID": 312, 


"imagePath": 
"\\Device\\HarddiskVolume2\\Windows\\Explorer.EXE", 

"userName": "CAAUTOMATION-PC\\Administrator", 

"userID": "S-1-5-21-3436480518-4193688097-2835352598-500" 


), 


"newContent": null, 

"ignoreDate": "2018-07-24", 

"customerld": "58p888be-a90f-e3be-838d-88877aee572pLp", 
"name": "MobaXterm installer.msi", 


"action": "Delete", 


"id" : 


"c6d7929c-85cb-3791-b6ed-2bcd9a7682cb", 


"asset": { 
"agentld": "fe94430f-fl2c-4c6d-a9c2-a660049d69e»5", 
"interfaces": [ 


{ 


Connection" 
} 
1, 


"hostname": "CAAUTOMATION-PC", 

"macAddress": "00:50:56:9F:FF:54", 

"address": "10.113.197.104", 

"interfaceName": "Intel(R) PRO/1000 MT Network 


"lastCheckedIn": "2018-07-12T15:07:23.0002", 
"Created": 1531195694000, 
"hostrd": null, 
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"operatingSystem": "Microsoft Windows 7 Professional 
6.1.7601 Service Pack 1 Build 7601", 
"tags": [ 
"8072536", 
"7895614", 
"7655820", 
"7650412" 
l, 
"assetType": "HOST", 
"system": { 
"lastBoot": "2018-06-14T16:29:03.000Z" 
DÉI 
"ec2"* null, 
"lastLoggedOnUser": ".\\Administrator", 
"netbiosName": "CAAUTOMATION-PC", 
"name": "IOC-104", 
"agentVersion": "2.0.6.1", 
"updated": 1531408044017 
DÉI 
"Class": "Disk" 
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Sample 2 


Request: 
curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v2/events/ignore/search -H 
'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 
{ 
"pageSize":100, 
"filter":"reputationStatus: MALICIOUS" 
} 


Response: 
{ 
"dateTime": "2021-01-19T07:09:07.116+0000", 
"fullPath": "\\Device\\HarddiskVolume2\\FIM\\ProdCerts", 
"Severity": 3, 
"profiles": [ 
{ 
"name": "Bug Test Profile", 
"rules": [ 
{ 
"Severity": 3, 
"description": "", 
"id": "c9a0d542-2d00-4a34-8ffd-b07a4826739a", 
"type": "directory" 
} 
l; 
"id": "f214c35a-441e-450a-b817-2f162add6854", 
"type": "WINDOWS", 
"category": { 
"name": "PCI", 
"id": "f589a105-0100-3dbb-a007-556fae7afea5" 


i 
l, 
"type": "Directory", 
"changedAttributes": null, 
"platform": "WINDOWS", 
"oldContent": null, 
"actor": 1 

"process": "Explorer.EXE", 


"processID": 312, 
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"imagePath": 
"\\Device\\HarddiskVolume2\\Windows\\Explorer.EXE", 
"userName": "CAAUTOMATION-PC\\Administrator", 


"userID": "S-1-5-21-3436480518-4193688097-2835352598-500" 


), 
"newContent": null, 


"ignoreDate": "2021-01-19", 
"customerld": "58p888be-a90f-e3be-838d-88877aee572pbp", 
"name": "ProdCerts", 
"action": "Create", 
"id": "5ca3af2b-991d-3154-acce-6ebbad2a6cc1", 
"asset": { 
"agentld": "b1362e7f-a29c-4226-a9a2-£f91747f7e009", 
"interfaces": [ 
{ 
"hostname": "CAAUTOMATION-PC", 
"macAddress": "00:50:56:9F:FF:54", 
"address": "10.113.197.104", 
"interfaceName": "Intel(R) PRO/1000 MT Network Connection" 


) 
1, 
"lastCheckedIn": "2021-01-19T07:02:08.0002", 
"created": 1529071987000, 
"hostId": null, 
"operatingSystem": "Microsoft Windows 7 Professional 6.1.7601 
Service Pack 1 Build 7601", 
"tags": [ 
"7895614", 
"7655820", 
"7650412", 
"8072536" 
1, 
"assetType": "HOST", 
"system": ( 
"lastBoot": "2018-06-14T16:29:03.000Z" 
DÉI 
"ec2": null, 
"lastLoggedOnUser": ".\\Administrator", 
"netbiosName": "CAAUTOMATION-PC", 
"name": "CAAUTOMATION-PC", 
"agentVersion": "2.0.6.1", 
"updated": 1529391745750 
DÉI 
"Class": "Disk", 
"fileContentHash": 
"50dc26047£5572a38aa7adb4e9b140dc301ea41d1f4bed5095aled7fc1d03fbc" 
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"KNOWN", 


"fileCertificateHash": [ 
"dl2bed1761e1b2c244db23cebe4185c2b0839%eee", 
"lade32c9b68b944bf291d1fcc59faef061a6d2£2" 


l; 


"trustStatus": 


"TRUSTI 


ED" 
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Sample 3 


Request: 
curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v2/events/ignore/search -H 
'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 


{ 
"pageSize":100, 


"filter":"registryKey.name: Data" 
} 
Response: 
[ 
{ 
"sortValues": [], 
"data": { 
"dateTime": "2021-03-05T11:28:36.455+0000", 
"fullPath": 


"HKEY LOCAL MACHINE\\Software\\Microsoft\\Windows 
NT\\CurrentVersion\\Image File Execution Options\\Data", 
"type": "Value", 
"platform": "WINDOWS", 
"oldContent": null, 
"newContent": null, 
"customerld": "OOXXXX-643f-f4af-8336-b253066XXXX", 
"action": "Content", 
"id": "e115XXXX-af72-37b5-8£92-9e878bbbba53", 
"severity": 3, 
"fileCertificateHash": null, 
"profiles": [ 


{ 


"name": "Profile Name", 
"rules": [ 
{ 
"Severity": 3, 
"number": 1, 
"name": "Rule 1", 
"description": "Rule 1", 
"section": null, 
"id": "4282XXXX-cc33-49d8-82df-53a00e27XXXX", 
"Lype": "key" 
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l, 
"id": "f99941de-2296-4044-bfca-05aeb4575ef5", 


"Lype": "WINDOWS", 
"category": { 
"name": "PCI", 


"id": "2dabXXXX-2fdd-11e7-93ae-92361f00XXXX" 


} 
l; 
"changedAttributes": null, 
"processedTime": "2021-03-05T05:37:30.311+0000", 


"actor": { 
"process": "reg.exe", 
"processID": 2811, 
"imagePath": "C:\\Windows\\System32\\reg.exe", 
"userName": "MSEDGEWINIONNIEUser", 


"userID": "S-1-5-21-3461203602-4096304019-2269080069-1000" 
), 


"name": null, 
"asset": { 
"agentId": "7c99XXXX-92fa-4943-91ab-249e341dd10d", 
"interfaces": [ 
{ 
"hostname": "WIN10-122.WORKGROUP", 
"macAddress": "00:50:56:AA:5C:85", 
"address": "10.115.98.122", 
"interfaceName": "Intel(R) 82574L Gigabit Network 
Connection" 
} 


l, 
"lastCheckedIn": "2019-07-23T11:01:00.0002", 
"created": "2021-01-11T06:40:09.930+0000", 
"hostId": null, 
"operatingSystem": "Microsoft Windows 10 Pro 10.0.10586 N/A 
Build 10586", 
"tags" I 
"7508831", 
"7526815", 
"7503230" 
l, 
"assetType": "HOST", 
"system": { 
"lastBoot": "2019-07-23T11:01:00.0002Z" 
DÉI 
"ec2": null, 
"lastLoggedOnUser": ".\\Administrator", 
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"netbiosName": "WIN10-12 
"name": "WIN10-122", 
"agentVersion": "3.0.0.1 
"updated": "2021-01-11T0 
DÉI 
"ignoreDate": "2021-01-12" 
"fileContentHash": null, 
"reputationStatus": null, 
"registryPath": 
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" 
2", 


01", 
6:40:09.930+0000" 


, 


"HKEY LOCAL MACHINE\\Software\\Microsoft\\Windows 


NT\\CurrentVersion\\Image File E 
"registryName": "Data", 


xecution Options", 


"oldRegistryValueType": "REG MULTI SZ", 


"oldRegistryValueContent": 
"Multvalue string", 


"Multvalue string" 


l, 


"newRegistryValueType": "R 


"newRegistryValueContent": 
"Multvalue stringl", 


"Multvalue string2" 


l, 


"class": "Registry" 
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Get ignored events count 
/fim/v2/events/ignore/count 
[POST] 


Get number of ignored events logged. 


Input Parameters 


filter (String) Filter the events list by providing a query using Qualys syntax. 
Refer to the “How to Search” topic in the online help for 
assistance with creating your query. 

For example - dateTime:['2019-02-25T18:30:00.000Z’..'2019-02- 
26T18:29:59.999Z'] AND action: 'Content' 

You can filter events based on the time they are generated on 
the asset (dateTime) or based on the time they are processed 
at Qualys (processedTime). 

Note: For the dateTime filter start date should not be lower 
than 2017-01-01. The processedTime filter can be used only 
for events generated post FIM release 2.0.2. 


groupBy (String) Group results based on certain parameters (provide comma 
separated list). 
For example - action 


limit (String) Limit the number of rows fetched by the groupBy function. 


sort (String) Sort the results using a Qualys token. For example - 
WNdateTimeV'W'ascW')] 


interval (String) GroupBy interval for date fields. Valid values are y(year), 
q(quarter), M(month), w(week), d(day), h(hour), m(minute), 
s(second). For example - 1d 
An interval lower than a second is not supported. 
Note: Value for each interval period should be 1. For example, 
you can specify an interval of 1y, 1M, 1w, and so on, but not 
2y, 3M, etc. 


Authorization (String) (Required) Authorization token to authenticate to the Qualys 
Cloud Platform. 
Prepend token with "Bearer" and one space. For example - 
Bearer auth Token 


Sample 


Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v2/events/ignore/count -H 
'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 
{ 
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"filter":"dateTime: ['2018-06-25T18:30:00.000Z'..'2019-06- 
20T18:29:59.9997']" 


} 
Response: 
{ 


"count":234 
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Fetch ignored event details 


/fim/v2/events/ignore/fignoredEventid) 


[GET] 


Fetch details for an ignored event. 


Input Parameters 


eventld (String) 


(Required) ID of the ignored event you want to fetch the 
details for. 


Authorization (String) (Required) Authorization token to authenticate to the Qualys 


Cloud Platform. 
Prepend token with "Bearer" and one space. For example - 
Bearer auth Token 


Sample 1 


Request: 


curl -X GET 
https://gateway.qgl.apps.qualys.com/fim/v2/events/ignore/f214c35a- 
441e-450a-b817-2f162add6854 -H 'authorization: Bearer «token»' -H 
'content-type: application/json' 


Response: 


{ 


"dateTime": "2018-06-19T07:09:07.116+0000", 
"fullPath": "\\Device\\HarddiskVolume2\\FIM\\ProdCerts", 
"Severity": 3, 


"profiles": [ 
{ 
"name": "Bug Test Profile", 
"rubes"i.[ 


{ 


"Severity": 3, 


"description": "", 
"id": "c9a0d542-2d00-4a34-8ffd-b07a4826739a", 
"Lype": "directory" 


} 


l, 
"id": "f214c35a-441e-450a-5817-2f162add6854", 


"type": "WINDOWS", 
"category": { 
"name": "PCI", 


"id": "2dab5022-2fdd-11e7-93ae-92361f002671" 
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l, 

"type": "Directory", 
"changedAttributes": null, 
"platform": "WINDOWS", 
"oldContent": null, 
"actor" 4 


"process": "Explorer.EXE", 
"processID": 312, 
"imagePath": 
"\\Device\\HarddiskVolume2\\Windows\\Explorer. EXE", 
"userName": "CAAUTOMATION-PC\\Administrator", 
"userID": "s-1-5-21-3436480518-4193688097-2835352598-500" 
DÉI 
"newContent": null, 
"ignoreDate": "2018-06-19", 
"customerld": "58b888be-a9%0f-e3be-838d-88877aee572b", 
"name": "ProdCerts", 


"action": "Delete", 
"id": "5ca3af2b-991d-3154-acce-6ebbad2a6cc1", 
"asset": { 
"agentld": "b1362e7f-a29c-4226-a9a2-£f91747f7e009", 
"interfaces": [ 
{ 
"hostname": "CAAUTOMATION-PC", 
"macAddress": "00:50:56:9F:FF:54", 
"address": "10.113.197.104", 
"interfaceName": "Intel(R) PRO/1000 MT Network Connection" 
} 
l, 
"lastCheckedIn": "2018-06-19T07:02:08.0002", 
"created": 1529071987000, 
"hostrd": null, 
"operatingSystem": "Microsoft Windows 7 Professional 6.1.7601 
Service Pack 1 Build 7601", 
"tags" f 
"7895614", 
"7655820", 
"7650412", 
"8072536" 
l, 
"assetType": "HOST", 
"system": { 
"lastBoot": "2018-06-14T16:29:03.0002Z" 
DÉI 
"ec2": null, 
"lastLoggedOnUser": ".\\Administrator", 
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"Glass": 
} 
Sample 2 
Request: 
curl -X GI 
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"netbiosName": "CAAUTOMATION-PC", 
"name": "CAAUTOMATION-PC", 
"agentVersion": "2.0.6.1", 
"updated": 1529391745750 


), 


"Disk" 


ET 
E 


https://gateway.qgl.apps.qualys.com/fim/v2/events/ignore/f589a105- 
0100-3dbb-a007-556fae7afea5 -H 'authorization: Bearer «token»' -H 


'content- 


Response: 


{ 


type: application/json' 


"dateTime": "2021-01-19T07:09:07.116+0000", 
"fullPath": "\\Device\\HarddiskVolume2\\FIM\\ProdCerts", 
"severity": 3, 


"profiles": [ 


{ 


"name": "Bug Test Profile", 
"robes" [ 


{ 


} 
l, 


"severity": 3, 

"description": "", 

"id": "c9a0d542-2d00-4a34-8ffd-b07a4826739a", 
"Lype": "directory" 


"id": "f214c35a-441e-450a-5817-2f162add6854", 
"Lype": "WINDOWS", 
"category": { 

"name": "PCI", 

"id": "f589a105-0100-3dbb-a007-556fae7afea5" 


} 
l, 
"type" : 


"Directory", 


"changedAttributes": null, 
"platform": "WINDOWS", 
"oldContent": null, 


"actor": 


{ 


"process": "Explorer.EXE", 
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"processID": 312, 
"imagePath": 
"\\Device\\HarddiskVolume2\\Windows\\Explorer.EXE", 
"userName": "CAAUTOMATION-PC\\Administrator", 
"userID": "s-1-5-21-3436480518-4193688097-2835352598-500" 
DÉI 
"newContent": null, 
"ignoreDate": "2021-01-19", 
"customerld": "58p888be-a90f-e3be-838d-88877aee572p", 
"name": "ProdCerts", 


"action": "Create", 
"id": "5ca3af2b-991d-3154-acce-6ebbad2a6cc1", 
"asset": { 
"agentld": "b1362e7f-a29c-4226-a9a2-£91747f7e009", 
"interfaces": [ 
{ 
"hostname": "CAAUTOMATION-PC", 
"macAddress": "00:50:56:9F:FF:54", 
"address": "10.113.197.104", 
"interfaceName": "Intel(R) PRO/1000 MT Network Connection" 
} 
l, 
"lastCheckedIn": "2021-01-19T07:02:08.000Z", 
"Created": 1529071987000, 
"hostId": null, 
"operatingSystem": "Microsoft Windows 7 Professional 6.1.7601 
Service Pack 1 Build 7601", 
"tags": [ 
"7895614", 
"7655820", 
"7650412", 
"8072536" 
l, 
"assetType": "HOST", 
"system": { 
"lastBoot": "2018-06-14T16:29:03.0002Z" 
DÉI 
"Gc2": null, 
"lastLoggedOnUser": ".\\Administrator", 
"netbiosName": "CAAUTOMATION-PC", 
"name": "CAAUTOMATION-PC", 
"agentVersion": "2.0.6.1", 
"updated": 1529391745750 
DÉI 
"Class": "Disk", 
"fileContentHash": 
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"50dc26047£5572a38aa7adb4e9b140dc301ea41d1f4bed5095aled7fc1d03fbc" 

"reputationStatus": "KNOWN", 

"fileCertificateHash": [ 
"d1l2bed176lelb2c244db23cebe4185c2b0839eee", 
"Jade32c9b68b944bf291d1lfcc59faef06la6d2f2" 

l; 

"trustStatus": "TRUSTED" 
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Sample 3 


Request: 
curl -X GET 
https://gateway.qgl.apps.qualys.com/fim/v2/events/ignore/el115XXXX- 
af72-37b5-8£92-9e878bbbba53 -H 'authorization: Bearer <token>' -H 


'content-type: application/json' 


Response: 

{ 
"dateTime": "2021-03-05T11:28:36.455+0000", 
"fullPath": 

"HKEY LOCAL MACHINE\\Software\\Microsoft\\Windows 

NT\\CurrentVersion\\Image File Execution Options\\Data", 
"type": "Value", 
"platform": "WINDOWS", 
"oldContent": null, 
"newContent": null, 


"customerld": "OOXXXX-643f-f4af-8336-b253066XXXX", 
"action": "Content", 

"id": "e115XXXX-af72-37b5-8£92-9e878bbbba53", 
"severity": 3, 


"fileCertificateHash": null, 
"profiles": [ 
{ 
"name": "Profile Name", 
"rules": [ 
{ 
"Severity": 3, 
"number": 1, 
"name": "Rule 1", 
"description": "Rule 1", 
"section": null, 
"id": "4282XXXX-cc33-49d8-82df-53a00e27XXXX", 
"type": "key" 
} 


l, 
"id": "f99941de-2296-4044-bfca-05aeb4575ef5", 


"Lype": "WINDOWS", 
"category": { 
"name": "PCI", 


"id": "2dabXXXX-2fdd-11e7-93ae-92361f00XXXX" 


) 
l, 
"changedAttributes": null, 
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"processedTime": "2021-03-05T05:37:30.311+0000", 


"actor" 


$4 


"process": 


"reg.exe", 


"processID": 2811, 
"imagePath": "C:\\Windows\\System32\\reg.exe", 
"userName": "MSEDGEWIN10\\IEUser", 


"userID": 


), 
"name": 
"asset" 


null 
S 


"agentld": 
"interfaces": [ 


{ 


"$-1-5-21-3461203602-4096304019-2269080069-1000" 


, 


"7c99XXXX-92fa-4943-91ab-249e341dd10d", 


"hostname": "WIN10-122.WORKGROUP", 

"macAddress": "00:50:56:AA:5C:85", 

"address": "10.115.98.122", 

"interfaceName": "Intel(R) 82574L Gigabit Network 


Connection" 


"HK] 


} 
l, 


"lastCheckedIn": "2019-07-23T11:01:00.0002", 


"created": 

Td": null, 

"operatingSystem": "Microsoft Windows 10 Pro 10.0.10586 N/A 

Build 10586", 

"tags" I 
"7508831", 
"7526815", 
"7593230" 


"host 


l, 


"2021-01-11T06:40:09.930+0000", 


"assetType": "HOST", 


"system": 
"lastBoot": "2019-07-23T11:01:00.000Z" 


), 


"ec2": 


"last 


{ 


null, 
LoggedOnUser": ".NMAdministrator", 


"netbiosName": "WIN10-122", 


"name": "W 


"agen 
"upda 
DÉI 


"ignore 


ted": 


Date" 


"fileContent 


"reputa 


tions 


IN10-122", 


tVersion": "3.0.0.101", 


"2021-01-11T06:40:09.930+0000" 


€ "2021-01-12; 
Hash": null, 
tatus": null, 


"registryPath": 


. LOCAL MACHIN 


E\\Software\\Microsoft\\Windows 
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NT\\CurrentVersion\\Image File Execution Options", 
"registryName": "Data", 
"oldRegistryValueType": "REG MULTI SZ", 


"oldRegistryValueContent": [ 
"Multvalue string", 
"Multvalue string" 

l, 

"newRegistryValueType": "REG MULTI SZ", 

"newRegistryValueContent": [ 

"Multvalue stringl", 


"Multvalue string2" 
l; 


"class": "Registry" 
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Use these API functions to fetch FIM Incident data. 
Fetch incident count 

Fetch incidents 

Get event count for an incident 

Fetch events for an Incident 

Create manual Incident 


Approve the given incident 
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Fetch incident count 
/fim/v2/incidents/count 
[POST] 


Get number of Incidents in an user account. 


Response Code 
- 200: Successful 
- 401: Unauthorized 


- 503: Service unavailable 


Input Parameters 


filter (String) Filter the incidents list by providing a query using Qualys 
syntax. Refer to the "How to Search” topic in the Online help 
for assistance with creating your query. 

For example - status: OPEN 


groupBy (String) Group results based on certain parameters (provide comma 
separated list). 
For example - action 


interval (String) GroupBy interval for date fields. Valid values are y(year), 
q(quarter), M(month), w(week), d(day), h(hour), m(minute), 
s(second). For example - 1d 
An interval lower than a second is not supported. 

Note: Value for each interval period should be 1. For example, 

you can specify an interval of 1y, 1M, 1w, and so on, but not 


2y, 3M, etc. 
limit (String) Limit the number of rows fetched by the groupBy function. 
sort (String) Sort the results using a Qualys token. For example - 


[(VnameV'VascV]] 


Sample 


Request: 
curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v2/incidents/count -H 
'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 
{ 
"filter":"status:OPEN", 
"groupBy": ["approvalType", "name", "id"] 


} 
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Response: 
{ 
"MANUAL": { 
"Incident-3a899bb5-493e-40b8-a348-408dee7b2314-pod01_rule_15": 


"af72cee0-3dd7-4173-b6ff-c0dfdlad0465": 1, 
"70datal1-35df-40a2-b20d-9878389d63d9": 1, 
"435d4e5b-753e-455f-bc64-7ebbdab38cad": 
), 
"Incident-4b5c6f12-a3dc-48d3-b9f5-be01d35449e7-pod01 rule 16": 


"689ea586-5c41-462e-b9f9-41635fa71889": 1, 
"p9760652-e642-43e3-albc-27441bd590c8": 1, 
"56660ef6-a0ed-447e-8738-4d25026£44026": 
), 
"Incident-d353f6bc-11d8-480e-a26a-3fb3a4324689-pod01 rule 14": 


"d31f45da-f3b2-4a91-a84a-36992966c6ec": 1, 
"7556fce9-a928-43b4-9724-1849f0650db1": 1, 
"45630e02-bbee-44a8-9b89-966b95ef62a3": 
), 
"Incident-aa85ac30-cel7-4370-bald-7471d8a0fa35-pod01 rule 29": 


"e24ec4e4-87e1-49dd-b3ed-91959673da32": 1, 
"85eb37a0-0b64-45de-9559-668eaa58eca8": 1 


), 
"Incident-47a9fce9-2b4c-4d2a-ab84-9853a41225d7-pod01 rule 27": 


"7£41087e-2d1d-4514-806f-d51fd78e312c": 1, 
"e913313d-eda2-4c4d-9550-32cae546f4b7": 1 
), 
"Incident-f534db2b-d4fa-43cb-a550-c2cce44e02f4-pod01 rule 25": 


"3907d4bd-3755-4191-89c3-d6f4e31fcd6e": 1, 
"f29cb285-e2a0-434e-9240-63b00bd420df": 1 


), 
"Incident-70060303-29a1-47b7-bd7a-17409cf1049b-pod01 rule 33": 


"b8b89269-f82d-4e08-bed5-607540930baa": 1, 
"ae70adlb-£841-4ad9-9a92-49a481dd0383": 1 


), 
"Incident-84e3c230-5ce9-49bd-9a19-7ab9a63f5f48-pod01 rule 28": 


"50f8cfb8-383d-4605-85a8-e85968e6f8ef": 1, 
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"3e020872-c903-4076-bd43-f£0a85b3275bf": 1 


), 
"Incident-al170f7bf-e74d-41bc-bb76-0ddbed938794-pod01 rule 21": 


"1£995877-6123-4308-ae71-7086a597972e": 1, 
"d20a61d4-9ec0-43ca-b6cl-c7ca93933ed3": 1 


), 
"Incident-f050635e-fl1ce-4059-beed-f144b66de3c2-pod01 rule 24": 


"0678d417-af29-4ca9-9dc5-6cefacb459c9": 1, 
"65e51413-4802-415c-b8a5-469f7cd5f151": 1 
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Fetch incidents 
/fim/v3/incidents/search 
[POST] 


Get FIM incidents for an user account. 


Response Code 
- 200: Successful 
- 401: Unauthorized 


- 503: Service unavailable 


Input Parameters 


filter (String) Filter the incidents list by providing a query using Qualys 
syntax. Refer to the “How to Search” topic in the online help 
for assistance with creating your query. 

For example - status: OPEN 


pageNumber (String) The page to be returned. Starts from zero. 

pageSize (String) The number of records per page to be included in the 
response. Default is 10. 

sort (String) Sort the results using a Qualys token. For example - 
"sort""[WnameVWascW)] 

attributes (String) Search based on certain attributes (provide comma separated 
list). 

SearchAfter (Required) This parameter is required to fetch more than 
10,000 rows 

Sample 

Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/incidents/search -H 
'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 
{ 


"attributes":"reviewers,name", 
"filter":"changeType:AUTOMATED", 
"pageSize":2, 


"pageNumber":0, 
"Sort":" [{\"name\":\"asc\"}] " 
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Response: 
[ 


"sortValues": [ 
" incident 01" 
l; 
"data": { 
"name": " incident 01", 
"id": "xxx9xx4x-2x73-4x6x-95x6-29x3x4x4x013", 
"reviewers": [ 
"quays fa" 


} 
), 
{ 
"sortValues": [ 
"incident 02" 
l; 
"data": { 
"name": "incident)2", 
"id": "7992xxxx-x161-494x-x761-323xx067844x8", 
"reviewers": [ 
"quays fa" 
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Get event count for an incident 


/fim/v2/incidents/(incidentId)/events/count 


[POST] 


Get number of events logged for an incident. 


Response Code 
- 200: Successful 
- 401: Unauthorized 


- 503: Service unavailable 


Input Parameters 


incidentld (String) 


(Required) ID of the incident you want to fetch the events for. 


filter (String) 


Filter the incidents list by providing a query using Qualys 
syntax. Refer to the “How to Search” topic in the online help 
for assistance with creating your query. 

For example - status: OPEN 


groupBy (String) 


Group results based on certain parameters (provide comma 
separated list). 
For example - action 


limit (String) 


Limit the number of rows fetched by the groupBy function. 


sort (String) 


Sort the results using a Qualys token. For example - 
{\"name\"\"asc\"}] 


interval (String) 


GroupBy interval for date fields. Valid values are y(year), 
q(quarter), M(month), w(week), d(day), h(hour), m(minute), 
s(second). For example - 1d 

An interval lower than a second is not supported. 

Note: Value for each interval period should be 1. For example, 
you can specify an interval of 1y, 1M, 1w, and so on, but not 
2y, 3M, etc. 


Authorization (String) 


(Required) Authorization token to authenticate to the Qualys 
Cloud Platform. 

Prepend token with "Bearer" and one space. For example - 
Bearer auth Token 


Sample 
Request: 


curl -X POST 


https://gateway.qgl.apps.qualys.com/fim/v2/incidents/{incidentId}/ 


events/count -H 
application/json' 


'authorization: Bearer «token»' -H 'content-type: 


-d @request.json 
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Contents of request.json: 


{ 
"groupBy":["action","dateTime"], 
"limit":2 
) 
Response: 
{ 
"Delete": { 
"2019-01-01T00:00:00.000Z": 1551 
), 
"Attributes": { 
"2019-01-01T00:00:00.000Z": 1159 
) 
} 
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Fetch events for an Incident 
/fim/v2/incidents/(incidentId)/events/search 
[POST] 


Get events logged under an incident. 


Response Code 
- 200: Successful 
- 401: Unauthorized 


- 503: Service unavailable 


Input Parameters 


incidentld (String) (Required) ID of the incident you want to fetch the events for. 


filter (String) Filter the events list by providing a query using Qualys syntax. 
Refer to the “How to Search” topic in the online help for 
assistance with creating your query. 

For example - status OPEN” 


pageNumber (String) The page to be returned. Starts from zero. 

pageSize (String) The number of records per page to be included in the 
response. Default is 10. 

sort (String) Sort the results using a Qualys token. For example - 
NnameWWasaW']] 

attributes (String) Search based on certain attributes (provide comma separated 
ist). 

Authorization (String) Required) Authorization token to authenticate to the Qualys 


Cloud Platform. 
Prepend token with "Bearer" and one space. For example - 
Bearer authToken 


Sample 


Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v2/incidents/{incidentId}/ 
events/search -H ‘authorization: Bearer <token>' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 
{ 
"sort™:"({\"name\":\"desc\"}]", 
"pageNumber":2, 
"attributes":"name" 


} 
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Response: 
[ 


"sortValues": [ 
"x86 microsoft-windows-t..icesframework- 
msctf 31bf3856ad364e35 6.1.7601.23915 none 78558£3c6624167c" 
l; 
"data": { 
"name": "x86 microsoft-windows-t..icesframework- 
msctf 31bf3856ad364e35 6.1.7601.23915 none 78558£3c6624167c", 
"id": "8x340728-411x-37x1-x028-0xxx41362xxx" 
} 
), 
{ 
"sortValues": | 
"x86 microsoft-windows-t..-collaboration- 
core 31bf3856ad364e35 6.1.7601.23892 none bd47535b6dcd4b69" 
l; 
"data": { 
"name": "x86 microsoft-windows-t..-collaboration- 
core 31bf3856ad364e35 6.1.7601.23892 none bd47535b6dcd4b69", 
"id": "6f5878be-3abe-32b7-a943-d9b6c982190f" 
} 
), 
{ 
"sortValues": [ 
"x86 microsoft-windows-t..-collaboration- 
core 31bf3856ad364e35 6.1.7601.23892 none bd47535b6dcd4b69" 
l; 
"data": { 
"name": "x86 microsoft-windows-t..-collaboration- 
core 31bf3856ad364e35 6.1.7601.23892 none bd47535b6dcd4b69", 
"id": "c9f2dea8-al4c-34e8-b2dc-a20d282bee73" 
} 
), 
{ 
"sortValues": | 
"x86 microsoft-windows-t..-collaboration- 
core 31bf3856ad364e35 6.1.7601.23892 none bd47535b6dcd4b69" 
l; 
"data": { 
"name": "x86 microsoft-windows-t..-collaboration- 
core 31bf3856ad364e35 6.1.7601.23892 none bd47535b6dcd4b69", 
"id": "87x0x9x7-0518-3974-86x3-x48712323147" 
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), 
{ 
"sortValues": [ 

"X86 microsoft-windows- 
shdocvw 31bf3856ad364e35 6.1.7601.23896 none e9b14bab8385266b" 

l; 
"data": { 

"name": "x86 microsoft-windows- 
shdocvw_31bf3856ad364e35 6.1.7601.23896 none e%bl4bab8385266b", 

"id": "3e68b55b-eff3-35ab-9c7f-95ad3be33c34" 

} 
}, 
{ 
"sortValues": [ 

"X86 microsoft-windows- 

shdocvw 31bf3856ad364e35 6.1.7601.23896 none e9b14bab8385266b" 
l; 
"data": ( 

"name": "x86 microsoft-windows- 
shdocvw 31bf3856ad364e35 6.1.7601.23896 none e%bl4bab8385266b", 

"id": "e5bd74f2-03b9-301d-ba96-34b3d8a6bd7c" 

} 
), 
{ 
"sortValues": [ 

"X86 microsoft-windows- 
shdocvw.resources 31bf3856ad364e35 6.1.7601.23896 en- 
us c9fflfaddida973e" 

l, 
"data": ( 

"name": "x86 microsoft-windows- 
shdocvw.resources 31bf3856ad364e35 6.1.7601.23896 en- 
us c9fflfaddida97T3e", 

"id": "ea9e8bc7-1895-34fc-b2a7-f6c42be0ed0a" 

} 
), 
{ 
"sortValues": [ 

"X86 microsoft-windows- 
shdocvw.resources 31bf3856ad364e35 6.1.7601.23896 en- 
us c9fflfaddlda973e" 

l; 
"data": ( 

"name": "x86 microsoft-windows- 
shdocvw.resources 31bf3856ad364e35 6.1.7601.23896 en- 
us c9fflfaddida973e", 
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"id": "a5d68c5e-5f9e-3cc5-976f-8331e4404a73" 
) 
}, 
{ 
"sortValues": [ 

"X86 microsoft-windows- 
shdocvw.resources 31bf3856ad364e35 6.1.7601.23896 en- 
us c9fflfaddlda973e" y i 

l, 
"data": { 

"name": "x86 microsoft-windows- 
shdocvw.resources 31bf3856ad364e35 6.1.7601.23896 en- 
us c9fflfaddlda973e", i B 

"id": "452af9e5-c926-39a5-8a7d-e6b25a43a828" 

) 
DÉI 
{ 
"sortValues": | 

"X86 microsoft-windows-security- 

credssp 31bf3856ad364e35 6.1.7601.23915 none c64al09218ef01b4" 
1, 
"data": { 

"name": "x86 microsoft-windows-security- 
credssp 31bf3856ad364e35 6.1.7601.23915 none c64a109218ef01b4", 

"id": "249e4bdf-aad5-3ddd-bbbf-03f45eecd137" 
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Create manual Incident 
/fim/v3/incidents/create 

[POST] 

Create manual incidents of type "DEFAULT". 


Response Code 
- 201: Successful 
- 401: Unauthorized 


- 503: Service unavailable 


Input Parameters 


comment (String) Comments for approval of the Incidents. 


filters (Required) Filter the events list by providing a query using 
Qualys syntax. 

Refer to the "How to Search” topic in the online help for 

assistance with creating your query. 

For example - "filters": [ "dateTime: ["2020-05- 

17T18:30:00.000Z'..'2020-05-18T18:29:59.999Z'| and 

action: Attributes )'], 


name (String) Required) The name of the incident. 
Accepted length: Between 1 to 128 characters. 

reviewers (String) Reviewers who will approve the incident. 

type This is set to "DEFAULT" always. 

userInfo nformation about the user. 

Sample 

Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/fim/v3/incidents/create -H 
'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 
{ 


"name": "Incident 001", 
"reviewers": [ 
"quays fa" 


l, 

"filters": "P 

"dateTime: ['2020-05-17T18:30:00.000Z'..'2020-05- 
18T18:29:59.999Z'] and (action: Attributes )" 


78 


Chapter 4 - FIM Incidents API 
Create manual Incident 


1, 

"comment": "comment for an incident", 
"type": "DEFAULT", 

"userInfo": { 


"user": { 

"name": "quays fa", 

"id": "228xxxx1-4xx2-6xxx-82x9-287x5x441xxx" 
) 

) 

) 


Response: 
{ 


"comment": "comment for an incident", 
"approvalType": "MANUAL", 

"type": "DEFAULT", 

"id": "xx91xx81-2116-4x92-967x-4133422421xx", 
"userInfo": { 


"user": { 
"id": "5]xxxx4x-5xx5-xxx6-8141-5x7887xx557x", 
"name": "FIM Automation" 
DÉI 
"date": 1590598106811 
DÉI 
"customerld": "25x14x60-80x1-4x25-8166-6653x4x2x094", 
"name": "Incident 001", 
"filters": [ 
"dateTime: ['2020-05-17T18:30:00.000Z'..'2020-05- 
18T18:29:59.999Z'] and (action: Attributes )" 
l; 
"reviewers": [ 
"quays_fa" 
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Approve the given incident 
/fim/v3/incidents/{incidentld}/approve 
[POST] 


For approving an incident. 


Response Code 
- 200: Successful 
101: Unauthorized 


- 404: Not found 


- 503: Service unavailable 


Input Parameters 


approvalStatus (Required) The approval 
status of the incident created by the rule. 
Allowed values: "APPROVED" , "POLICY VIOLATION', 
"UNAPPROVED", "NA". 


changeType (Required) Type of Incidents 
created by the rule. 
Allowed values: "MANUAL", "AUTOMATED", "COMPROMISE", 


"OTHER". 
comment (String) (Required) Comments for Incidents created by rule. 
dispositionCategory (Required). The category of the 


Incident created by the rule. 

Allowed values: "PATCHING', 

"PRE APPROVED. CHANGE CONTROL, 
"CONFIGURATION. CHANGE", "HUMAN ERROR", 
"DATA CORRUPTION", "EMERGENCY CHANGE", 
"CHANGE CONTROL VIOLATION", "GENERAL HACKING', 
"MALWARE' 


Sample 


Request: 
curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/incidents/{incidentId}/ 
approve -H ‘authorization: Bearer <token>' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 
{ 


"approvalStatus": "APPROVED", 
"changeType": "MANUAL", 
"comment": "new incident", 
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"dispositionCategory": "PATCHING" 


"customerld": "003x9084-643x-x4xx-8336-x2530663x0x2", 
"type": "DEFAULT", 

"id": "56x58733-1485-4x29-x4xx-x96x9x1x8530", 
"filterFromDate": "2020-02-09T18:30:00.000+0000", 
"filterToDate": "2020-03-11T18:29:59.999+0000", 
"name": "new incident tests", 


"filters": .[ 
"dateTime: ['2020-02-09T18:30:00.000Z'..'2020-03- 


11T18:29:59.9992'] and name:image.gif" 


l; 

"status": "CLOSED", 

"reviewers": [ 
"quays hs" 


l; 

"comment": "new incident", 

"assignDate": "2020-03-11T11:14:39.498+0000", 
"approvalDate": "2020-03-12T06:33:02.554+0000", 
"approvalStatus": "APPROVED", 
"dispositionCategory": "PATCHING", 
"changeType": "MANUAL", 

"approvalType": "MANUAL", 

"createdByld": null, 


"createdByName": null, 

"createdDate": "2020-03-11T11:14:39.497+0000", 
"LlastUpdatedById": "228xxxx1-4xx2-6xxx-82x9-287x5x441xxx", 
"lastUpdatedByName": "John Doe", 

"lastUpdatedDate": "2020-03-11T11:21:33.025+0000", 
"filterUpdatedDate": "2020-03-11T11:21:33.024+0000", 
"deleted": false, 


"marked": false, 


"moved": null, 


"markupStatus": null, 
"ruleld”": null, 
"ruleName": null 
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Chapter 5 - FIM Alerting API 
Alerting Action API 


Chapter 5 - FIM Alerting API 


Use these API functions to fetch FIM Alerting data. 


Alerting Action API 
Fetch all Alert Actions 
Fetch Alert Actions for an Action ID 


Fetch all Alert Actions 
/fim/v3/alert/actions/search 
[POST] 


To search all the Alert actions created. 


Response Code 
- 200: Successful 
- 401: Unauthorized 


- 503: Service unavailable 


Sample 


Request: 
curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/alert/action/search -H 
'authorization: Bearer «token»' -H 'content-type: 
application/json' 


Response: 
{ 
"customerId": "x5x0514x-x211-x1x4-809x-x3x2xx667xxx", 
"applicationName": "FIM", 
"id": "xxx13x40-11x0-11xx-x12x-xx6083x5x695", 
"name": "Email - Alerting regression", 
"description": "Alerting regression", 
"actionType": "qemail", 
"createdBy": "John Doe", 
"createdById": "quays jd2", 
"updatedBy": "John Doe", 


"updatedById": "quays jd2", 
"created": 1574919350308, 
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"updated": 1574919362952, 
"alert": "Email- Alerting regression", 


"subject": "Email- Alerting regression", 
"smtpHost": "mta0l.eng.sjcOl.qualys.com", 
"smtpPort": 25, 

"emailRecipients": [ 

"ja280qualys.com", 

"jdl@qualys.com", 

"jd@qualys.com" 

l, 

"emailFromAddress": "noreply@qualys.com", 
"emailReplyTo": "noreply@qualys.com", 
"slackWebhookUri": null, 

"slackChannel": null, 
"pagerdutyServiceKey": null, 


"pagerdutyEventType": null, 
"pagerdutyClient": null, 
"activeRules": 1, 
"disabledRules": 2, 
"smtpUser": null 


} 
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Fetch Alert Actions for an Action ID 
/fim/v3/alert/actions/{actionId} 
[GET] 


To search the Alert actions for an Action ID. 


Response Code 
- 200: Successful 
101: Unauthorized 


- 404: Not found 


- 503: Service unavailable 


Input Parameters 


actionId (Required) ID of the action you want to fetch the action for. 


Sample 


Request: 
curl -X GET 
https://gateway.qgl.apps.qualys.com/fim/v3/alert/actions/(actionId 
) -H'authorization: Bearer «token»' -H 'content-type: 
application/json' 


Response: 
( 
"customerId": "x5x0514x-x211-x1x4-809x-x3x2xx667xxx", 
"applicationName": "FIM", 
"id": "xxx13x40-11x0-11xx-x12x-xx6083x5x695", 
"name": "Email - Alerting regression", 
"description": "Alerting regression", 
"actionType": "qemail", 
"createdBy": "John Doe", 


"createdById": "quays jd2", 
"updatedBy": "John Doe", 
"updatedById": "quays jd2", 
"created": 1574919350308, 
"updated": 1574919362952, 


"alert": "Email- Alerting regression", 
"subject": "Email- Alerting regression", 
"smtpHost": "mta0l.eng.sjcOl.qualys.com", 


"SmtpPortb"r 25, 
"emailRecipients": [ 
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"ja280qualys.com", 

"3dléqualys.com", 

"3déqualys.com" 
l; 


"emailFromAddress": "noreply@qualys.com", 
"emailReplyTo": "noreply@qualys.com", 
"slackWebhookUri": null, 

"slackChannel": null, 
"pagerdutyServiceKey": null, 
"pagerdutyEventType": null, 
"pagerdutyClient": null, 

"activeRules": 1, 

"disabledRules": 2, 

"smtpUser": null 
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Alerting Rules API 
Fetch Alert Rules 

Fetch details for Alert Rule 
Enable Alert Rule 

Disable Alert Rule 

Delete a Alert Rule 


Fetch Alert Rules 

/fim/v3/alert/rules/search 

[POST] 

To search all the alert rules. 

Note: The API will return the default value for the following fields: 
For Single Match: slideTime, matchCount, aggregate, aggregationKeys. 
For Time-Window Scheduled Match: slideTime, matchCount. 


Response Code 
- 200: Successful 
- 401: Unauthorized 


- 503: Service unavailable 


Sample 


Request: 
curl -X POST https://gateway.qgl.apps.qualys.com 


Alerting Rules API 


/fim/v3/alert/rules/search -H 'authorization: Bearer «token»' -H 


'content-type: application/json' 


Response: 
{ 


"customerld":"x5x0514x-x211-x1x4-809x-x3x2xx667xxx", 


"applicationName":"FIM", 
"id":"8xx98x30-xx5x-11x9-9036-339x439x1x4x", 
"datasource": "EVENTS", 

"ruleType":"simple alert", 

"name":"Rule - Alerting 2.1.2 testing updating", 
"description":"Rule - Alerting 2.1.2 testing", 


"qqi":"(file.fullPath:'*\\System32\\*' and action:Attributes 
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"windowTime":0, 
"slideTime":900000, 
"matchCount":3, 
"fromHour":0, 
"fromMinute":0, 
"duration":0, 
"aggregate":true, 
"aggregationKeys":[ 

"tokens" 

l, 
"actions": [ 

{ 
"id":"54x62750-xx5x-11x9-9525-51f120x87xx9", 
"actionType":"qemail", 

"name": "Alerting 2.1.2 Testing", 

"subject":"Alerting 2.1.2 Testing", 

"alert":"Alerting 2.1.2 Testing", 

"emailRecipients":[ 
"jal8Gqualys.com", 
"jJd2@qualys.com", 
"jJd@qualys.com" 


"slackChannel":null, 
"subjectParameters":[ 


l, 


"bodyParameters":[ 


] 


1, 
"created":1569172952451, 
"createdBy": "John Doe", 
"createdById":"quays jd2", 
"updated":1569332877053, 
"updatedBy":"John Doe", 
"updatedById":"quays jd2", 
"lastRun":1569312595868, 
"active":false, 
"ruleState":"DISABLED", 
"actionNames":[ 

"Alerting 2.1.2 Testing" 


l, 
"Lrigger":"Single Match" 
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Fetch details for Alert Rule 

/fim/v3/alert/rules/{ruleld} 

[GET] 

To search the details for the given rule id. 

Note: The API will return the default value for the following fields: 
For Single Match: slideTime, matchCount, aggregate, aggregationKeys. 
For Time-Window Scheduled Match: slideTime, matchCount. 


Response Code 
- 200: Successful 
101: Unauthorized 


- 404: Not found 


- 503: Service unavailable 


Input Parameters 


ruleld (Required) ID of the alert rule you want the details for. 


Sample 


Request: 
curl -X GET 
https://gateway.qgl.apps.qualys.com/fim/v3/alert/rules/{ruleId} -H 
‘authorization: Bearer <token>' -H 'content-type: 
application/json' 


Response: 
{ 
"customerld": "x5x0514x-x211-x1x4-809x-x3x2xx667xxx", 
"applicationName": "FIM", 
"id": "8xx98x30-xx5x-11x9-9036-339x439x1x4x", 
"datasource": "EVENTS", 
"ruleType": "simple alert", 
"name": "", 
"description": "", 
"qql": "(file.fullPath:'*\\System32\\*"' and action:Attributes 
)", 
"windowTime": 0, 


"slideTime": 900000, 
"matchCount": 3, 
"fromHour": 0, 
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"fromMinute": 0, 
"duration": 0, 
"aggregate": true, 
"aggregationKeys": [ 
"tokens" 
l, 
"actions": [{ 
"id": "54x62750-xx5x-11x9-9525-51x120x87xx9", 
"actionType": "qemail", 
"name": "Alerting 2.1.2 Testing", 
"subject": "Alerting 2.1.2 Testing", 
"alert": "Alerting 2.1.2 Testing", 
"emailRecipients": [ 
"3dléqualys.com", 
"ja280qualys.com", 
"3déqualys.com" 
l, 
"slackChannel": null, 
"subjectParameters": [], 
"bodyParameters": [] 


1, 
"created": 1569172952451, 
"createdBy": "John Doe", 
"createdById": "quays jd2", 
"updated": 1569332877053, 
"updatedBy": "John Doe", 
"updatedById": "quays jd2", 
"lastRun": 1569312595868, 
"active": false, 
"ruleState": "DISABLED", 
"actionNames": [ 

"Alerting 2.1.2 Testing" 


l; 
"trigger": "Single Match" 
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Enable Alert Rule 
/fim/v3/alert/rules/{ruleId}/enable 
[POST] 


To enable an Alert rule. 


Response Code 
- 200: Successful 
- 401: Unauthorized 
- 404: Not Found 


- 503: Service unavailable 


Input Parameters 


ruleld (Required) ID of the alert rule you want to enable. 


Sample 


Request: 
curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/alert/rules/(ruleId]/en 
able -H 'authorization: Bearer «token»' -H 'content-type: 
application/json' 


Response: 
{ 


"enabled": true 


91 


Chapter 5 - FIM Alerting API 
Disable Alert Rule 


Disable Alert Rule 
/fim/v3/alert/rules/{ruleld}/disable 
[POST] 


To disable an alert rule. 


Response Code 
- 200: Successful 
- 401: Unauthorized 
- 404: Not Found 


- 503: Service unavailable 


Input Parameters 


ruleld (Required) ID of the alert rule you want to disable. 


Sample 


Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/alert/rules/{ruleId}/di 
sable -H "authorization: Bearer <token>' -H 'content-type: 
application/json' 


Response: 


{ 
"disabled": true 
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Delete a Alert Rule 
/fim/v3/alert/rules/{ruleld}/delete 
[POST] 


To delete an alert rule. 


Response Code 
- 201: Successful 
- 401: Unauthorized 
- 404: Not Found 


- 503: Service unavailable 


Input Parameters 


ruleld (Required) ID of the alert rule you want to delete. 


Sample 


Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/alert/rules/(ruleId])/de 
lete -H 'authorization: Bearer «token»' -H 'content-type: 
application/json' 


Response: 


{ 
"deleted": true 
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Alerting Activities API 
Fetch the generated alerts for FIM 
Count Number of Alerts Generated for FIM 


Fetch the generated alerts for FIM 
/fim/v3/alert/activities/search 

[POST] 

To search all the Alerting activities for FIM. 


Response Code 
- 200: Successful 
- 401: Unauthorized 


- 503: Service unavailable 


Input Parameters 


filter (String) Filter the alerts by providing a query using Qualys syntax. 
Refer to the "How to Search” topic in the Online Help for 
assistance with creating your query. 

For example: ruleName:POD12: Email Rule 


pageNumber The page number to be returned. The number starts from 
zero. 

pageSize The number of records per page to be included in the 
response. Default is 10. 

sort (String) Sort the results using a Qualys token. For example - 
"sort""[[VstatusV V dese V]]" 

Sample 

Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/alert/activities/search 
-H 'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 
{ 


"filter": "string", 
"pageNumber": {}, 
"pageSize": {}, 
Sot": “String” 
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"statusDate": 1560569128488, 
"subject": "PagerDuty Test Action with John's Service Key", 
"identifiers": [ 

"Xxx18x49x-1x2x-3xxx-x ]x1-4787xxx5xxxx" 


l, 


"emailRecipients": [], 

"matches": 1, 

"ruleDescription": "Rule to test PagerDuty account", 
"aggregate": true, 

"actionType": "pagerduty", 

"createdBy": "John Doe", 

"alert": "Testing the pager duty account, to check the calls 


sms\nSecurity\xxx5026x1-0xx8-4x4x-9xx4-64x8x1xx905f\nJohn 


Linux FIM\nCentOS Linux 7.5.1804\n2\n[Linux Profile] \n[[£0534cd2- 
8£19-4ald-986f- 

414d8ef5825d] ] \nchgrp\n/usr/bin/chgrp\n2.4.0.72\n\n[7701016, 
7905815] \xxx18x49x-1x2x-3xxx-x7x1-4787xxx5xxxx\n[My category JD]", 


"datasource": "EVENTS", 

"customerld": "x5x0514x-x211-x1b4-809x-x3x2xx667xxx", 
"actionld": "xx3xx0x0-8x68-11x9-9xx1-058683x890x9", 
"ruleName": "Rule to test PagerDuty account", 

"id": "x51xxxx1-8x91-11x9-88x1-x97xx3100467", 
"ruleId": "x5xx0190-8x68-11x9-x24x-87456x2x93x3", 
"applicationName": "FIM", 


"createdById": "quays jd2", 
"actionName": "PagerDuty Test Action", 
"status": "SUCCESS" 
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Count Number of Alerts Generated for FIM 
/fim/v3/alert/activities/count 
[POST] 


To count the alerting activities for FIM. 


Response Code 
- 200: Successful 
- 401: Unauthorized 


- 503: Service unavailable 


Input Parameters 


filter (String) Filter the alerts by providing a query using Qualys syntax. 
Refer to the “How to Search” topic in the Online Help for 
assistance with creating your query. 

For example - ruleName: POD12: Email Rule 


Sample 


Request: 


curl -X POST https://gateway.qgl.apps.qualys.com 
/fim/v3/alert/activities/count -H 'authorization: Bearer <token>' 
-H 'content-type: application/json' -d @request.json 


Contents of request.json: 
{ 


"filter": "String" 


} 
Response: 


{ 
"count": 86457 
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Chapter 6 - FIM Correlation API 


Use these API functions to fetch FIM Correlation data. 

- Fetch all Correlation Rules 

- Fetch Correlation Rule Details for a particular Rule ID 
- Fetch the count of Correlation Rules 

- Create Correlation Rules 

- Update Correlation Rule 

- Activate Correlation Rule 

- Deactivate Correlation Rule 


- Delete Correlation Rule 
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Fetch all Correlation Rules 


/fim/v3/autocorrelation/rules/search 
[POST] 


To search all the Correlation rules. 


Response Code 
- 200: Successful 
- 401: Unauthorized 


- 503: Service unavailable 


Input Parameters 


attributes (String) (Optional) The list of comma-separated attributes that you 
want to include in the response. 


filter (String) (Optional) Filter the correlation rules by providing a query 
using Qualys syntax. Refer to the "How to Search" topic in the 
Online Help for assistance with creating your query. 

For example - scheduleType: DAILY 


pageNumber Optional) The page number to be returned. The number 
starts from zero. 


pageSize Optional) The number of records per page to be included in 
the response. Default is 10. 


sort (String) Optional) Sort the results using correlation rule attributes. 
Example: "sort""[[VruleNameV'VascV]]" 


Sample 


Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/autocorrelation/rules/s 
earch -H 'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 
{ 


"pageSize":1, 


"pageNumber":1, 
"filter":"approvalType: MANUAL” ", 
"sort":"[{\"ruleName\":\"asc\"}]" 


} 


98 


Chapter 6 - FIM Correlation API 
Fetch all Correlation Rules 


Response: 
[ 


"fixDate": "2020-03-27", 
"approvalStatus": null, 
"updatedBy": { 

"date": 1585289546339 
DÉI 
"changeType": null, 
"approvalType": "MANUAL", 
"description"; "y 
"reviewers": [ 

"quays fa" 
l, 
"deletedBy": null, 
"deleted": false, 
"scheduleType": "ONETIME", 
"dayOfMonth": null, 
"createdBy": { 

"date": 1585289546339 


DÉI 

"customerld": "25x14x60-80x1-4x25-8166-6653x4x2x094", 
"ruleName": "*", 

"days": [], 

"startTime": "06:30:00", 
"dispositionCategory": null, 

"comment": "", 

"id": "1xxx7x30-x730-4x94-xx03-xx98x4xx28x1", 
"endTime": "08:00:00", 

"filterQuery": "action:Create", 

"status": "ACTIVATED" 
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Fetch Correlation Rule Details for a particular Rule ID 
/fim/v3/autocorrelation/rules/{autoCorrelationRuleld} 
[GET] 


To search Correlation rule details for a particular Rule ID 


Response Code 
- 200: Successful 
101: Unauthorized 


- 404: Not found 


- 503: Service unavailable 


Input Parameters 


Ruleld (Required) ID of the correlation rule you want to fetch the 
details for. 


Sample 


Request: 
curl -X GET 
https://gateway.qgl.apps.qualys.com//fim/v3/autocorrelation/rules/ 
{autoCorrelationRulelId} -H'authorization: Bearer «token»' -H 
'content-type: application/json' 


Response: 


{ 
"customerld": "003x084-643x-x4xx-8336-x2530663x0x2", 


"id": "479886xx-0xx7-46xx-x00x-1xxx9x07x58x", 
"ruleName": "dyno 007", 

"filterQuery": "file.name:yesyes.txt", 
"description": "", 

"startTime": "11:32:00", 

"endTime": "11:33:00", 

"scheduleType": "DAILY", 


"days": null, 
"fixDate": null, 


"changeType": "MANUAL", 
"dispositionCategory": "PATCHING", 
"approvalType": "AUTOMATED", 
"approvalStatus": "UNAPPROVED", 
"reviewers": [ 

"quays hs" 
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1, 
"dele 


"status": 
"dayOfMonth": 


ted": fals 
"ACTIVATED", 
null, 


"comment": ",", 


"crea 
"crea 
"crea 
"upda 
"upda 
"upda 
"dele 
"dele 
"dele 


ted 


ted 


ted 


tedById": 
tedByName": 


Date": 


tedById": 
tedByName": 


Date": 


tedById": 
tedByName": 


Date": 


e, 


null, 

null, 
"2020-05-041 
null, 

null, 
"2020-05-041 
null, 

null, 

null 
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[05:56:11.497+0000", 


[05:56:11.497+0000", 
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Fetch the count of Correlation Rules 


/fim/v3/autocorrelation/rules/count 


[POST] 


To get the count of Correlation rules. 


Response Code 
- 200: Successful 
- 401: Unauthorized 


- 503: Service unavailable 


Input Parameters 


filter (String) 


Optional) Filter the rule by providing a query using Qualys 
syntax. Refer to the "How to Search" topic in the Online Help 
for assistance with creating your query. 

For example - scheduleType: DAILY 


groupBy (String) 


Group results based on certain parameters (provide comma 
separated list). 
For example - ruleName 


interval (String) 


Optional) GroupBy interval for date fields. Valid values are 
y(year),q(quarter), M(month), w(week), d(day), h(hour), 
m(minute), s(second). 

For example - 1d 

An interval lower than a second is not supported. 

Note: Value for each interval period should be 1. For example, 
you can specify an interval of 1y, 1M, 1w, and so on, but not 
2y, 3M, etc. 


limit 


(Optional) Limit the number of rows fetched by the groupBy 
function. 


sort (String) 


(Optional) Sort the results using a Qualys token. 
For example - [[VruleNameV':V'asc V] 


Sample 
Request: 


curl -X POST 


https://gateway.qgl.apps.qualys.com/fim/v3/autocorrelation/rules/c 


ount -H 
application/json' 


Contents of request.json: 


{ 


‘authorization: Bearer «token»' -H 'content-type: 


-d @request.json 
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"groupBy":["approvalType"], 


"limit'"*:2, 
"filter":"reviewers:quays fa" 
) 

Response: 
( 


"MANUAL": 105, 
"AUTOMATED": 10 
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Create Correlation Rules 


/fim/v3/autocorrelation/rules/create 


[POST] 


To create Correlation rules. 


Response Code 


- 201: Successful 


- 401: Unauthorized 


- 503: Service unavailable 


Input Parameters 
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ruleName (String) 


(Required) The name of the correlation rule. The length 


should be between 1 


to 112 characters. 


description (String) 


The description for the correlation rule. 


filterQuery (String) 


(Required) Filter query using Qualys syntax to match the 
events with the incidents.Refer to the "How to Search" topic in 


the Online help for assistance with creating your query. 


reviewers (String) 


Required) A list of comma separated user names to review 
the incidents created from the rule. 


approvalType 


Required) Approval Type of the Incident created by this rule. 
Allowed values: “AUTOMATED” or "MANUAL" 


approvalStatus 


Required if the Approval Type is Automated) The approval 
status of the incident created by the rule. 


Allowed values: "APPROVED" , "POLICY VIOLATION', 


"UNAPPROVED", "NA". 


changeType 


(Required if approva 
created by the rule. 


type is Automated) Type of Incidents 


Allowed values: "MANUAL", "AUTOMATED", "COMPROMISE", 


"OTHER". 


comment (String) 


(Required if approva 
Incidents created by 


type is Automated) Comments for 
rule. 


dispositionCategory 


(Required if approva 


type is Automated). The category of the 


Incident created by the rule. 
Allowed values: "PATCHING', 


"PRE. APPROVED CHANGE CONTROL, 
"CONFIGURATION. CHANGE", "HUMAN ERROR", 


"MALWARE" 


"DATA CORRUPTION", "EMERGENCY CHANGE", 
"CHANGE CONTROL VIOLATION", "GENERAL HACKING', 


scheduleType 


(Required) The schedule for the rule: 


Allowed values: "ON 


ETIME", "DAILY", "WEEKLY", MONTHLY" 


D 
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startTime 


(Required) Time when the Correlation rule must start. 
Format: "HH:mm:ss" 
Note: The time must be mentioned in UTC format. 


endTime 


(Required if Schedule Type is selected as "ONETIME" Time 
when the Correlation rule should end. 
Format: "HH:mm:ss". 
Note: The time must be mentioned in UTC format. 


fixDate 


Required if Schedule Type is selected as "ONETIME”) 
The date on which the rule is executed. 
Format: "yyyy-MM-dd" .Note: Value should not be a past date. 
Note: The date must be mentioned in UTC format. 


dayOfMonth 


Required if Schedule Type is selected as "MONTHLY”) 
The days of the month on which rule is executed. 
Allowed values: integer (1-31). 


days 


For recurring weekly schedules, it is the list of days on which 
rule is executed. 
Allowed values: Allowed values: integer (1-7), where Sunday 
(1) and Saturday (7). Default value is 1 (Sunday). 


Sample 
Request: 


curl -X POST 


https://gateway.qgl.apps.qualys.com/fim/v3/autocorrelation/rules/c 
'authorization: 
-d @request.json 


reate -H 
application/json' 


Contents of request.json: 
{ 


Bearer «token»' -H 'content-type: 


"fixDate": "2020-06-04", 
"approvalStatus": "APPROVED", 
"changeType": "AUTOMATED", 
"approvalType": "AUTOMATED", 
"description": "test", 
"reviewers": [ 

"quays wk29" 

l; 

"scheduleType": "ONETIME", 
"ruleName": "rulename 2 3", 
"startTime": "12:00:00", 


"dispositionCategory": 


"comment": 
"endTime": 
"filterQuery": 
} 


I 


"PRE APPROVED CHANGE CONTROL", 


"some comment ", 
123550: 00"; 
"action:Create" 
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Response: 
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"customerId": "25x14x60-80x1-4x25-8166-6653x4x2x094", 
"id": "5438x40c-x469-4x37-xxxx-9xx19x10x8x9", 
"ruleName": "rulename 2 3", 

"filterQuery": "action:Create", 

"description": "test", 

"startTime": "12:00:00", 

"endTime": "23:59:00", 

"scheduleType": "ONETIME", 

"days": [], 
"fixDate": "2020-06-04", 
"changeType": "AUTOMATED" 
"dispositionCategory": "P 
"approvalType": "AUTOMAT 
"approvalStatus": "APPROV 
"reviewers": [ 


I 


E APPROVED CHANGE CONTROL", 


PI 
Pl uU As 


Dy 


"quays wk29" 
l; 
"comment": "some comment ", 
"createdBy": { 
"user": ( 
"id": "5]xxxx4x-5xx5-xxx6-8141-5x7887xx557x", 
"name": "FIM Automation" 
DÉI 
"date": 1591164238040 
DÉI 
"updatedBy": { 
"user": { 
"id": "5]xxxx4x-5xx5-xxx6-8141-5x7887xx557x", 
"name": "FIM Automation" 
DÉI 
"date": 1591164238040 
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Update Correlation Rule 
/fim/v3/autocorrelation/rules/(autoCorrelationRuleld/ update 
[POST] 


To update a Correlation rule. 


Response Code 
- 200: Successful 
101: Unauthorized 


- 404: Not found 


- 503: Service unavailable 


Input Parameters 


description (String) The description for the correlation rule. 


reviewers (String) A list of comma separated user names to review the incidents 
created from the rule. 


approvalType Approval Type of the Incident created by this rule. 
Allowed values: “AUTOMATED” or "MANUAL" 


approvalStatus (Required if the Approval Type is Automated) The approval 
status of the incident created by the rule. 
Allowed values: "APPROVED" , "POLICY VIOLATION', 
"UNAPPROVED", "NA". 


changeType (Required if approval type is Automated) Type of Incidents 
created by the rule. 
Allowed values: "MANUAL", "AUTOMATED", "COMPROMISE", 
"OTHER". 


comment (String) (Required if approval type is Automated) Comments for 
Incidents created by rule. 


dispositionCategory (Required if approval type is Automated). The category of the 
Incident created by the rule. 
Allowed values: "PATCHING", 
"PRE APPROVED CHANGE CONTROL', 
"CONFIGURATION. CHANGE", "HUMAN ERROR', 
"DATA CORRUPTION", "EMERGENCY CHANGE', 
"CHANGE CONTROL VIOLATION", "GENERAL HACKING', 
"MALWARE" 


scheduleType The schedule for the rule: 
Allowed values: "ONETIME", "DAILY", "WEEKLY", MONTHLY" 
Note: This parameter cannot be updated from: 
-ONETIME to WEEKLY, MONTHLY, DAILY or 
-WEEKLY, MONTHLY, DAILY to ONETIME 
Also, ONETIME Rule cannot be updated after END time is over. 
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startTime Time when the Correlation rule must start. 


Format: "HH:mm:ss" 
Note: The time must be mentioned in UTC format. 


endTime (Required if Schedule Type is selected as "ONETIME”) Time 


when the Correlation rule should end. 
Format: "HH:mm:ss" 
Note: The time must be mentioned in UTC format. 


fixDate 


Required if Schedule Type is selected as "ONETIME”) 
The date on which the rule is executed. 
Format: "yyyy-MM-dd" 

Note: Its value should not be past date. The date must be 
mentioned in UTC format. 


dayOfMonth Required if Schedule Type is selected as "MONTHLY" 


The days of the month on which rule is executed. 
Allowed values: integer (1-31). 


days 


For recurring weekly schedules, it is the list of days on which 
rule is executed. 
Allowed values: Allowed values: integer (1-7), where Sunday 
(1) and Saturday (7). Default value is 1 (Sunday). 


Sample 
Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/autocorrelation/rules/( 
autoCorrelationRuleId)/update -H 'authorization: Bearer «token»' - 
H 'content-type: application/json' -d @request.json 


Contents of request.json: 


{ 


"fixDate": "2020-06-09", 

"endTime": "13:00:00", 

"startTime": "06:30:00", 
"description": "update description", 
"reviewers": [ 


"updated reviewer" 


] 


} 


Response: 


{ 
"customerld": "25x14x60-80x1-4x25-8166-6653x4e2x094", 


"id": "5438e40c-a469-4e37-aaac-9ff19c10e8f9", 
"ruleName": "rulename 2 3", 

"filterQuery": "action:Create", 
"description": "update description", 
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"startTime": " 


"endTime": 
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06:30:00", 


"3200200, 


"scheduleType": "ONETIME", 


"days 


mo. 


null, 


"fixDate": "20 
"changeType": 


, 
"dispositionCategory": "PR 
"approvalType": "AUTOMATED", 
"approvalStatus": "APPROVE 


"reviewers": [ 


1, 
"dele 
"stat 


ted": 


us": 


"dayOfMonth": 


"comment": 


"crea 
"crea 
"crea 
"upda 
"upda 
"upda 
"dele 
"dele 
"dele 


ted 


ted 


ted 


Date": 


tedById": 
tedByName": "FIM Automation", 


Date": 


tedById": 
tedByName": null, 


Date": 


20-06-09", 
"AUTOMATED" 


I 


E APPROVED CHANGE CONTROL", 


p 


updated reviewer" 


false, 
"ACTIVATED", 


null, 


"some comment ", 
tedById": 
tedByName": "FIM Automation", 


"51xxxx4x-5xx5-xxx6-8141-5x7887xx557x", 


"2020-06-03T06:03:58.040+0000", 
"S5lfbdb4b-5fb5-fdf6-8141-S5a7887ec557b", 


"2020-06-03T06:38:55.092+0000", 
null, 


null 
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Activate Correlation Rule 
/fim/v3/autocorrelation/rules/{autoCorrelationRuleld}/activate 
[POST] 

To update the Correlation rule to activate state. 


Note: After a Correlation rule is created, it is default in an active state. 


Response Code 
- 201: Successful 


- 404: Not found 


- 401: Unauthorized 


- 503: Service unavailable 


Input Parameters 


autoCorrelationRuleld (Required) ID of the rule you want to activate. 


Sample 


Request: 
curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/autocorrelation/rules/( 
autoCorrelationRuleId)/activate -H 'authorization: Bearer <token>' 
-H 'content-type: application/json' 

Response: 


{ 
"status": "ACTIVATED" 
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Deactivate Correlation Rule 
/fim/v3/autocorrelation/rules/{autoCorrelationRuleld}/deactivate 
[POST] 


To deactivate auto correlation rule. 


Response Code 
- 200: Successful 
- 404: Not found 


- 401: Unauthorized 


- 503: Service unavailable 


Input Parameters 


autoCorrelationRuleld (Required) ID of the rule you want to deactivate. 


Sample 


Request: 
curl -X POST 
https://gateway.qgl.apps.qualys.com//fim/v3/autocorrelation/rules/ 
lautoCorrelationRuleld)/deactivate -H 'authorization: Bearer 
<token>' -H 'content-type: application/json' 


Response: 


{ 
"status": "DEACTIVATED" 
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Delete Correlation Rule 
/fim/v3/autocorrelation/rules/{autoCorrelationRuleld}/delete 
[POST] 


To delete Correlation rule. 


Response Code 
- 200: Successful 
- 404: Not found 


- 401: Unauthorized 


- 503: Service unavailable 


Input Parameters 


autoCorrelationRuleld (Required) ID of the rule you want to delete. 


Sample 


Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/autocorrelation/rules/( 
autoCorrelationRuleId)/delete -H 'authorization: Bearer «token»' - 
H 'content-type: application/json' 


Response: 


{ 
"deleted": true 
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Use these API functions to fetch FIM Profile data. 
Search a Profile 

Activate a Profile 

Assign an Asset to a Profile 

Assign Tags to a Profile 

Export the Profile in XML Format 

Export a Profile in JSON format 

Import a Profile from XML File Inputs 

Import a Profile from JSON File Inputs 

List the Profile Categories 


Deactivate a Profile 
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Search a Profile 
/fim/v3/profiles/search 
[POST] 


To search Profile. 


Response Code 
- 200: Successful 
101: Unauthorized 


- 404: Profile not found 


- 500: Internal Server error 


Input Parameters 
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attributes (String) 


(Required) The list of comma-separated attributes that you 
want to include in the response. By default, all attributes will 
be returned in the result. 


filter (String) 


Required) Filter the Profile rules by providing a query 

using Qualys syntax. Refer to the "How to Search" topic in the 
Online Help for assistance with creating your query. 

For example - action: 'Content' 


pageNumber Required) The page number to be returned. The number 
starts from zero. 
pageSize Required) The number of records per page to be included in 


the response. Default is 10. 


sort (String) 


Required) Sort the results using Profile rule attributes. 


Sample 


Request: 
curl -X POST 


https://gateway.qgl.apps.qualys.com/fim/v3/profiles/search -H 


'authorization: 


application/json' 


Contents of request.json: 
{ 


"attributes": 


Bearer <token>' -H 'content-type: 
-d @request.json 


"string", 


“filter”: "string", 


"pageNumber": 


"pageSize": 


"number", 
"number", 


"Sort “Strang™; 
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Response: 


{ 
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"updatedBy": { 
"date": 1582023188082, 
"user": { 
"name": "John Doe", 
"id": "x37x1x6x-x023-x948-80xx-2xx6022x3436" 
} 
DÉI 
"assetTagIds": [], 
"assetlds": [], 
"Lype": "LINUX", 
"version"; "TI Ont. 
"syncFromId": "00000000-0000-0001-0000-000000000001", 
"deletedBy": null, 
"deleted": false, 
"importRegistryRules": false, 
"registryProfile": false, 
"createdBy": { 
"date": 1581935157993, 
"user": { 
"name": "John Doe", 
"id": "x37x1x6x-x023-x948-80xx-2xx6022x3436" 
} 
DÉI 
"name": "Linux testing FIM-3387 ", 
"customerId": "x5x0514x-x211-x1x4-809x-x3x2xx667xxx", 
"id": "x444920x-81xx-4xx6-x018-x44b0xx2xx22", 
"category": { 
"name": "PCI", 
"id": "2xxx5022-2xxx-11x7-93xx-92361f002671" 
DÉI 
"syncType": "NOT APPLICABLE", 
"status": "DEACTIVATED" 
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Activate a Profile 
/fim/v3/profiles/{profileld}/activate 
[POST] 


To activate a Profile 


Response Code 

- 200: Successful 

- 401: Unauthorized 
404: Profile not found 


- 409: Conflict if the profile is activated. 


- 500: Internal Server error 


Input Parameters 


profileld (Required) ID of the profile that is to be activated. 


Sample 


Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/profiles/{profileId}/ac 
tivate -H ‘authorization: Bearer <token>' -H 'content-type: 
application/json' 


Response: 


{ 
"status": "ACTIVATED" 
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Assign an Asset to a Profile 
/fim/v3/profiles/(profileld/assets 
[POST] 


To assign an asset to a Profile. 


Response Code 
- 200: Successful 
- 401: Unauthorized 


- 404: Profile not found 


- 500: Internal Server error 


Input Parameters 


assetIdsForProfile (Required) The UUID of the asset you want to assign to the 
profile. 

Sample 

Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/profiles/(profileId]/as 
sets -H 'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 
{ 


"assetIdsForProfile": [ 


"asset uuid 1", “asset uuid2” 


Response: 
{ 


"assetsAdded": true 
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Assign Tags to a Profile 
/fim/v3/profiles/{profileld}/assettags 
[POST] 

To assign a tag to a Profile. 


Note: Using this API, only tags that contain FIM activated assets can be assigned to profile. 


Response Code 
- 200: Successful 
- 400: Profile ID does not exist 


101: Unauthorized 


- 404: Profile not found 


- 500: Internal Server error 


Input Parameters 


assetTagldsForProfile (Required) List of asset tag ids to which you want to assign to 
the profiles. 

Sample 

Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/profiles/(profileId]/as 
settags -H 'authorization: Bearer <token>' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 
{ 
" assetTagIdsForProfile": [ 
"tag. ad 1", "tag id 2^" 


Response: 


{ 
"assetTagsAdded": true 
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Export the Profile in XML Format 
/fim/v3/profiles/{profileld}/exportxml 

[POST] 

To export the Profile in XML format. 


Response Code 
- 200: Successful 


LOO: Profile ID does not exist 


- 401: Unauthorized 


104: Profile not found 


- 500: Internal Server error 


Input Parameters 


profileld (Required) The ID for the profile that needs to be exported. 


Sample 


Request: 
curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/profiles/(profileId)/ex 
portxml -H 'authorization: Bearer «token»' -H 'content-type: 
application/json' 


Response: 


<?xml version="1.0" encoding="UTF-8"?> 
<profile> 
<id>20x213xx-xx2x-44x0-xxx3-x95940x49x62</id> 
<name>FIM-2998 windows</name> 
<version>1.0</version> 
<description /> 
<type>WINDOWS</type> 
<category> 
<id>9xx0154x-70x8-4807-90xx-xxxxx6xx59xx</id> 
<name>PCI</name> 
</category> 
<rules> 
<rule> 
<id>32xxx356-xx8x-4334-x972-33x6x428xx79</id> 
<type>directory</type> 
<imagePath>C: \\Windows\\System32\\</imagePath> 
<description>Rule Description</description> 
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<recursiveDepth>2</recursiveDepth> 
<notifyFor> 
<directory> 
<notify>rename</notify> 
<notify>modifyMetadata</notify> 
<notify>delete</notify> 
<notify>modifySecuritySettings</notify> 


<notify>create</notify> 
</directory> 
<file> 
<notify>rename</notify> 
<notify>modifyContent</notify> 
<notify>delete</notify> 
<notify>modifyMetadata</notify> 
<notify>create</notify> 


<notify>modifySecuritySettings</notify> 
</file> 
</notifyFor> 
<inclusions> 
<inclusion> 
<objectType>file</objectType> 
<patterns> 
<pattern>C: \Windows\*.txt</pattern> 
</patterns> 


</inclusion> 
</inclusions> 
<exclusions> 
<exclusion> 
<objectType>file</objectType> 
<patterns> 
<pattern>C: \Windows\*.log</pattern> 
</patterns> 


</exclusion> 
</exclusions> 
<severity>3</severity> 
<name>Rule Name 2</name> 


</rule> 
<rule> 


<id>32xxx356-xx8x-4334-x972-33x6x428xx78</id> 
<type>key</type> 


<imagePath>HKEY LOCAL MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windo 
ws\CurrentVersion\Run</imagePath> 


<description> 
</description> 
<recursiveDepth>2</recursiveDepth> 
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<notifyFor> 
<directory/> 
<file/> 
<key> 
<notify>rename</notify> 
<notify>delete</notify> 
<notify>create</notify> 
<notify>modifySecuritySettings</notify> 
</key> 
<value> 
<notify>delete</notify> 
<notify>modifyContent</notify> 
</value> 
</notifyFor> 
<inclusions> 


<inclusion> 
<objectType>key</objectType> 
<patterns> 

<pattern>childkey</pattern> 

</patterns> 

</inclusion> 

<inclusion> 
<objectType>value</objectType> 
<patterns> 


<pattern>childvalue</pattern> 
</patterns> 


</inclusion> 

</inclusions> 

<exclusions/> 

<severity>3</severity> 

<name>Registry Rule</name> 
</rule> 
<rule> 

<id>32xxx356-xx8x-4334-x972-33x6x428xx87</id> 
<type>value</type> 


<imagePath>HKEY LOCAL MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windo 
ws \CurrentVersion\Run</imagePath> 


<description> 
</description> 

<notifyFor> 

<directory/> 

<file/> 

<key/> 

<value> 

<notify>delete</notify> 
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«notify»modifyContent«/notify» 
«/value» 
</notifyFor> 
<inclusions/> 
<exclusions/> 
<severity>3</severity> 
<name>Registry Rule 2</name> 
<valueName>TeamsMachinelnstaller</valueName> 
</rule> 
</rules> 
</profile> 


122 


Chapter 7 - FIM Profile APIs 
Export the Profile in JSON Format 


Export the Profile in JSON Format 
/fim/v3/profiles/(profileId/exportjson 

[POST] 

To export the profile in JSON format. 


Response Code 
- 200: Successful 


LOO: Profile ID does not exist 


- 401: Unauthorized 


104: Profile not found 


- 500: Internal Server error 


Input Parameters 


rofileld Required) The ID for the profile that needs to be exported. 
p q p p 


Sample 


Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/profiles/(profileId)/ex 
portjson -H 'authorization: Bearer «token»' -H 'content-type: 
application/json' 


Response: 
{ 

"id": "20x213xx-xx2x-44x0-xxx3-x95940x49x62", 

"name": "FIM-2998 windows", 

"version. LOT, 

"description": "Profile Description", 

"Lype": "WINDOWS", 

"category": { 
"id": "9xx0154x-70x8-4807-90xx-xxxxx6xx59xx", 
"name": "PCI 1" 

DÉI 

"rules": [ 


{ 
"id": "32xxx356-xx8x-4334-x972-33x6x428xx79", 
"Lype": "directory", 
"imagePath": "C:\\Windows", 


"description": 
"recursiveDepth": "2", 
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"notify": ( 
"directory": [ 
"rename", 
"modifyMetadata", 
"delete", 
"modifySecuritySettings", 
"create" 
l, 
"filets [ 
"rename", 
"modifyContent", 
"delete", 
"modifyMetadata", 
"create", 
"modifySecuritySettings" 
] 
DÉI 
"monitorOwnership": false, 
"inclusionFilter": [ 
{ 
"objectType": "file", 
"patterns": [ 
"C:\\Windows\\*.txt" 
] 
), 
{ 
"objectType": "file", 
"patterns": [ 
"C:\\Windows\\*.log" 


} 
l, 
"exclusionFilter": [], 
"severity": 3, 
"name": "Rule 1" 
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"id": "x540x323-xxx7-439x-x247-x33xx6x42x71", 


"type": "directory", 
"imagePath": "D:\\MyDir", 
"description": "Description", 
"recursiveDepth": "None", 
"notify 1 
"directory": [ 
"rename", 
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"delete" 
l, 
METLS er] 
"delete" 
] 
DÉI 
"monitorOwnership": false, 
"inclusionFilter": [ 
( 
"objectType": "file", 
"patterns": [ 
"C:\\Windows\\*.txt" 
] 
DÉI 
{ 
"objectType": "file", 
"patterns": [ 
"C:\\Windows\\*.log" 


} 
l, 
"exclusionFilter": [], 
"severity": 3, 
"name": "Rule 2" 
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"id": "140d8726-5065-4eb9-8640-7c92665788e6", 


"type" a "key", 
"imagePath": 


"HKEY LOCAL MACHINENNSOFTWARENNWOW6432NodeNMMicrosoftNNWindowsNNCu 


rrentVersion\\Run", 
"description": "Description", 
"recursiveDepth": "2", 
"notify": { 
"directory": [], 
Weathers 1 
"key": [ 
"rename", 
"delete", 
"create", 
"modifySecuritySettings" 
l, 
"value": [ 
"delete", 
"modifyContent" 


125 


), 


"monitorOwnership": false, 


"inclusionFilter": [ 


{ 


"obj ctTyp " H Dk y", 
"size": null, 


"operator": 
"attribute": 
"patterns": 


null, 
null, 
[ 


"childkey" 


"objectType": "value", 


"size": null, 


"operator": 
"attribute": 
"patterns": 


null, 
null, 
[ 


"childvalue" 


} 
l, 


"exclusionFilter": [], 


"severity": 3, 


"name": "Registry Rule" 
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"id": "6b9aeadb-9204-42ab-afc4-231cdl1dec8c3", 
"Lype": "value", 


"imagePath": 


"HKEY LOCAL MACHINENNSOFTWAR 


rrentVersion\\Run", 

"description": 
"notify": { 

"directory": 

Wea hems EI 

"key": [], 

"value": [ 

"delete", 


"Description", 


ll, 


"modifyContent" 


] 
), 


"monitorOwnership": false, 


"inclusionFilter": [], 


"exclusionFilter": [], 


"severity": 3, 
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"name": "Registry Rule 2", 
"valueName": "TeamsMachineInstaller" 
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Import a Profile from XML File Inputs 
/fim/v3/profiles/importxml 
[POST] 


To create a profile from XML inputs. 


Response Code 
- 201: Successful 
101: Unauthorized 


- 404: Profile not found 


- 500: Internal Server error 


Input Parameters 


name (String) The name of the profile. 

description (String) Description of the profile. 

category.id The ID of the category. 

category.name Name of the Category 

type Type of profile. 
Example: WINDOWS or LINUX. 

rules.rule.type Type of the Rule. 
Example: file/directory/key/value 

rules.severity Severity of Rule. 
Allowed values 1,2,3,4,5 

rules.rule.imagePath Path on the asset which needs to be monitored. 

rules.rule.description Description of the Rule. 

rules.rule. Depth of directory we need to monitor. 

recursiveDepth Allowed values: 1,2,3,4,5,6,7,8,9 None, All 

rules.rule.valueName f Type of the Rule is Value. Allowed Registry key value name. 

rules.rule.notifyFor.directory List of directory attributes which needs to be monitored. 
Allowed values: create, delete, rename, modifyMetadata 
modifySecuritySettings 

rules.rule.notifyFor.file List of file attributes which needs to be monitored. 
Allowed values - create, delete, rename, modifyContent, 
modifyMetadata, modifySecuritySettings 

rules.rule.notifyFor.key List of key attributes which needs to be monitored. 
Allowed values: create, delete, rename, 
modifySecuritySettings 

rules.rule.notifyFor.value List of value attributes which needs to be monitored. 
Allowed values: delete,modifyContent 
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rules.rule.inclusions. inclusion. Type of the object that needs to be in inclusion Filter of the 
objectType rule. 
file/directory/key/value 


rules.rule.inclusions.inclusion. List of paths to be added as inclusion filters 
patterns For example: CASystem32V' log 
rules.rule.exclusions.exclusio Type of the object that needs to be added in exclusion Filter of 
n.objectType the rule. 
file/directory/key/value 
rules.rule.exclusions.exclusio List of paths to be added in exclusion filters. 
n. patterns For example: CASystem32V' log 
Sample 
Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/profiles/importxml -H 
'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 


<?xml version=""1.0"" encoding=""UTF-8""?> 
<profile> 
<id>20x213xx-xx2x-44x0-xxx3-x95940x49x62</id> 
<name>FIM-2998 windows</name> 
«version»1.0«/version» 
«description /» 
<type>WINDOWS</type> 
<category> 
«id»59xx0154x-70x8-4807-90xx-xxxxx6xx59xx«/id» 
<name>PCI</name> 
</category> 
<rules> 
<rule> 
<type>directory</type> 
<imagePath>C: \\Windows\\System32\\</imagePath> 
<description>Rule Description</description> 
<recursiveDepth>2</recursiveDepth> 
<notifyFor> 
<directory> 
<notify>rename</notify> 
<notify>modifyMetadata</notify> 
<notify>delete</notify> 
<notify>modifySecuritySettings</notify> 
<notify>create</notify> 
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«/directory» 
«file» 
<notify>rename</notify> 
<notify>modifyContent</notify> 
<notify>delete</notify> 
<notify>modifyMetadata</notify> 
<notify>create</notify> 
<notify>modifySecuritySettings</notify> 
</file> 
</notifyFor> 
<inclusions> 
<inclusion> 
<objectType>file</objectType> 
<patterns> 
<pattern>C: \Windows\*.txt</pattern> 
</patterns> 


</inclusion> 
</inclusions> 
<exclusions> 
<exclusion> 
<objectType>file</objectType> 
<patterns> 
<pattern>C: \Windows\*.log</pattern> 
</patterns> 


</exclusion> 
</exclusions> 
<severity>3</severity> 
<name>Rule Name 2</name> 


</rule> 
<rule> 


<id>32xxx356-xx8x-4334-x972-33x6x428xx78</id> 
<type>key</type> 


<imagePath>HKEY LOCAL MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windo 
ws \CurrentVersion\Run</imagePath> 


<description>Rule Description</description> 


<recursiveDepth>2</recursiveDepth> 

<notifyFor> 

<directory/> 

<file/> 

<key> 
<notify>rename</notify> 
<notify>delete</notify> 
<notify>create</notify> 
<notify>modifySecuritySettings</notify> 

</key> 
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«value» 
<notify>delete</notify> 
<notify>modifyContent</notify> 
</value> 
</notifyFor> 
<inclusions> 
<inclusion> 
<objectType>key</objectType> 
<patterns> 
<pattern>childkey</pattern> 
</patterns> 
</inclusion> 
<inclusion> 
<objectType>value</objectType> 
<patterns> 


<pattern>childvalue</pattern> 
</patterns> 


</inclusion> 

</inclusions> 

<exclusions/> 

<severity>3</severity> 

<name>Registry Rule</name> 
</rule> 
<rule> 

<id>32xxx356-xx8x-4334-x972-33x6x428xx87</id> 
<type>value</type> 


<imagePath>HKEY LOCAL MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windo 
ws\CurrentVersion\Run</imagePath> 
<description> 
</description> 
<notifyFor> 
<directory/> 
<file/> 
<key/> 
<value> 
<notify>delete</notify> 
<notify>modifyContent</notify> 
</value> 
</notifyFor> 
<inclusions/> 
<exclusions/> 
<severity>3</severity> 


<name>Registry Rule 2</name> 
«valueName»TeamsMachineInstaller«/valueName» 
«/rule» 
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«/rules» 
</profile> 
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Import a Profile from JSON File Inputs 
/fim/v3/profiles/importjson 
[POST] 


To create a profile from JSON file inputs. 


Response Code 
- 201: Successful 
- 401: Unauthorized 


- 404: Profile not found 


- 500: Internal Server error 


Input Parameters 


name (String) The name of the profile. 
type Type of profile. 

Example: WINDOWS or LINUX. 
category.id The ID of the category. 
category.name Name of the Category 
description (String) Description of the profile. 
rules.name Name of the rule. 
rules.description Description of the rule 
rules.type Type of the Rule. 

Example: file/directory/key/value 
rules.imagePath Path which needs to be monitored. 
rules.recursiveDepth n case of directory rule, depth of directory we want to 

monitor. 


Allowed values: 1,2,3,4,5,6,7,8,9,None, All 


rules.severity Severity of Rule. 
Allowed values 1,2,3,4,5 


rules.valueName f Type of the Rule is Value. Allowed Registry key value name 


rules.notify.directory List of directory attributes that needs to be monitored. 
Allowed values: create, delete, rename, modifyMetadata, 
modifySecuritySettings. 


rules.notify.file List of file attributes that needs to be monitored. 
Allowed values: create, delete, rename, modifyContent, 
modifyMetadata,modifySecuritySettings. 


rules.notify.key List of value attributes which needs to be monitored. 
Allowed values: delete,modifyContent 
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rules.notify.value List of key attributes which needs to be monitored. 
Allowed values: create, delete, rename, 
modifySecuritySettings 


rules.inclusionFilter.objectTyp Type of the object which needs to be in inclusion Filter of the 
e rule. 
file/directory/key/value 


rules.inclusionFilter.patterns List of paths to be added as inclusion filters 
For example: CASystem32V'.txt 


rules.exclusionFilter.objectTyp ` Type of the object which needs to be in exclusion filter of the 
e rule. 
file/directory/key/value 


rules.exclusionFilter.patterns List of paths to be added as exclusion filters. 
For example:CASystem32V log 


Sample 


Request: 
curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/profiles/importjson -H 
'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 


Contents of request.json: 
{ 


"name": "Profile name", 
"type": "WINDOWS", 
"category": { 
tias “String; 
"name": "string" 


DÉI 
"description": "Profile Description", 
"rules": [ 
{ 
"name": "Rule Name", 
"description": "string", 
"type": "file", 
"imagePath": "string", 
"recursiveDepth": "Nine", 
"Severity": 2, 
"notify": { 
"directory": [ 
"rename", 
"delete", 
"create", 
"modifyMetadata", 
"modifySecuritySettings" 
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l, 

METLS "7 
"rename", 
"delete", 
"create", 
"modifyMetadata", 
"modifyContent", 
"modifySecuritySettings" 

l, 

"key": [], 

"value": [] 

}, 


"inclusionFilter": [ 


{ 
"objectType": "file", 
"patterns": [ 
"C:\\Windows\\*.txt" 
] 
} 


l; 


"exclusionFilter": [ 


( 
"objectType": "file", 
"patterns": [ 
"C:\\Windows\\*.log" 
] 
} 


"type": "key", 

"imagePath": 
"HKEY LOCAL MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Cu 
rrentVersion\\Run", 

"description": "", 


"recursiveDepth": "2", 
"notify": ( 
"directory": [], 
talleres: "Ple 
"key": [ 
"rename", 
"delete", 
"create", 


"modifySecuritySettings" 
l, 


"value": [ 
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"delete", 
"modifyContent" 
] 
DÉI 
"inclusionFilter": [ 
{ 
"objectType": "key", 
"patterns": [ 
"childkey" 
] 


DÉI 
{ 
"objectType": "value", 
"patterns": [ 
"childvalue" 


} 
l, 
"exclusionFilter": [ 
{ 
"objectType": "key", 
"patterns": [ 


"excludechildkey" 


} 
l; 
"severity": 3, 
"name": "Registry Rule" 


"type": "value", 
"imagePath": 
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"HKEY LOCAL MACHINENNSOFTWARENNWOW6432NodeNMMicrosoftNNWindowsNNCu 


rrentVersion\\Run", 


"description": "Rule description", 


"notify": { 
"directory": [], 
"£e qs 
"key": [], 
"value": [ 

"delete", 
"modifyContent" 
] 

), 

"severity": 3, 

"name": "Registry Rule 2", 
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"valueName": "TeamsMachineInstaller" 
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List the Profile Categories 
/fim/v3/categories/search 
[POST] 


To search the categories of Profile. 


Response Code 
- 200: Successful 
101: Unauthorized 


- 404: Profile not found 


- 500: Internal Server error 


Sample 


Request: 
curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/fim/v3/categories/search - 
H 'authorization: Bearer «token»' -H 'content-type: 
application/json' 


Contents of request.json: 
[ 


"id": "2xxx5022-2xxx-11x7-93xx-92361x002671", 
"name": "PCI", 


"createdBy": { 


"user": { 
"id": "2xxx5270-2xxx-11x7-93xx-92361x002671", 
"name": "System" 


), 

"date": 1493813100000 
), 
"system": true, 
"deleted": false 


"id": "2xxb5374-2xxx-11x7-93xx-92361x002671", 
"name": "HIPAA", 
"createdBy": { 
"user": { 
"id": "2xxx5270-2xxx-11x7-93xx-92361x002671", 
"name": "System" 
), 
"date": 1493813100000 
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ty 
"system": true, 
"deleted": false 
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Deactivate a Profile 
/fim/v3/profiles/{profileld}/deactivate 
[POST] 


To deactivate a Profile. 


Response Code 
- 200: Successful 
- 401: Unauthorized 


404: Profile not found 


- 409: Conflict if profile is already deactivated. 


- 500: Internal Server error 


Input Parameters 


profileld (Required) ID of the profile which needs to be deactivated. 


Sample 


Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/profiles/(profileId])/de 
activate -H 'authorization: Bearer «token»' -H 'content-type: 
application/json' 


Response: 
{ 


"status": "DEACTIVATED" 
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Chapter 8 - FIM Asset APIs 


Use these API functions to fetch FIM Asset data. 
Search Assets 


Count the Assets 
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Search Assets 


/fim/v3/assets/search 
[POST] 


To search Assets based on a criteria. 


Response Code 
- 200: Successful 
- 400: Bad Request 


- 500: Internal Server error 


Input Parameters 


Authorization (String) (Required) Authorization token to authenticate to the Qualys 
Cloud Platform. 
Prepend token with "Bearer" and one space. For example - 
Bearer auth Token 


attributes (String) (Optional) The list of comma-separated attributes that you 
want to include in the response. By default, all attributes will 
be returned in the result. 


filter (String) Optional) Filter the Assets by providing a query 

using Qualys syntax. Refer to the "How to Search" topic in the 
Online Help for assistance with creating your query. 

For example - operatingSystem:' Microsoft Windows 10' 


pageNumber Optional) The page number to be returned. The number 
starts from zero. 

pageSize Optional) The number of records per page to be included in 
the response. Default is 10. 

includeTagData (Optional) Set the flag to "true" if you want the tags related 
information in the response. Else, set it to false. 

searchAfter Optional) This parameter is required to fetch more than 
10,000 rows. 

notSentEventsForHours Optional) List those assets that have not sent any events in 
ast "center value>" hours. This integer input e..g 10. 

sort (String) Optional) Sort the results using Asset rule attributes. 

Sample 

Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/assets/search -H 
'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 
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Contents of request.json: 
{ 
"attributes": "name,manifest.status, operatingSystem", 
"filter": "agentUuid: fef2f2e0-636d-4d820-b568p-2c2967a9da5d^" 


Response: 
[ 
{ 
"sortValues": [], 
"data": { 
"manifest": 
{ "status": "FIM MANIFEST APPLIED SUCCESS" 
} 
r 
"name": "FIM API AUTOMATION", 
"id": "fef2f2e0-636d-4d20-b68b-2c2967a9da5d", 
"operatingSystem": "Microsoft Windows 7 Professional 


6.1.7601 64-bit Service Pack 1 Build 7601" 
} 
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Count the Assets 
/fim/v3/assets/count 
[POST] 


To count the assets based on a criteria. 


Response Code 
- 200: Successful 
- 400: Bad Request 


- 500: Internal Server error 


Input Parameters 


Authorization (String) (Required) Authorization token to authenticate to the Qualys 
Cloud Platform. 
Prepend token with "Bearer" and one space. For example - 
Bearer auth Token 


filter (String) (Optional) Filter the Assets by providing a query 
using Qualys syntax. Refer to the "How to Search" topic in the 
Online Help for assistance with creating your query. 
For example - operatingSystem:' Microsoft Windows 10' 


groupBy (String) (Optional) Group results based on certain parameters (provide 
comma separated list). 
For example - operatingSystem 


interval (String) (Optional) GroupBy interval for date fields. Valid values are 
y(year), q(quarter), M(month), w(week), d(day), h(hour), 
m(minute), s(second). For example - 1d 
An interval lower than a second is not supported. 
Note: Value for each interval period should be 1. For example, 
you can specify an interval of 1y, 1M, 1w, and so on, but not 


2y, 3M, etc. 

limit (String) (Optional) Limit the number of rows fetched by the groupBy 
function. 

sort (String) (Optional) Sort the results using a Qualys token. For example - 


[(VoperatingSystemV'N'ascV] 


Sample 


Request: 


curl -X POST 
https://gateway.qgl.apps.qualys.com/fim/v3/assets/count -H 
'authorization: Bearer «token»' -H 'content-type: 
application/json' -d @request.json 
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Contents of request.json: 


{ 


Response: 
{ 
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"filter": "interfaces.address:10.112.113.114", 
"Iimit": 5, 
"groupBy" ["manifest.status"] 
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